Zlib
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Zlib.
By the Year
In 2026 there have been 2 vulnerabilities in Zlib with an average score of 2.9 out of ten. Zlib did not have any published security vulnerabilities last year. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 2.90 |
| 2025 | 0 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 9.80 |
| 2022 | 2 | 8.65 |
It may take a day or so for new Zlib vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Zlib Security Vulnerabilities
zlib <1.3.2 CPU Exhaustion via CRC32Combine64 Loop Shift
CVE-2026-27171
2.9 - Low
- February 18, 2026
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
Improper Validation of Specified Quantity in Input
zlib untgz Global Buffer Overflow pre1.3.1.2
CVE-2026-22184
- January 07, 2026
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
Memory Corruption
MiniZip in zlib 1.3: Integer overflow heap buffer overflow via long filename
CVE-2023-45853
9.8 - Critical
- October 14, 2023
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.
Integer Overflow or Wraparound
zlib 1.2.12: Heap buffer overread/overflow in inflate() from large gzip header
CVE-2022-37434
9.8 - Critical
- August 05, 2022
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Memory Corruption
zlib before 1.2.12 allows memory corruption when deflating (i.e
CVE-2018-25032
7.5 - High
- March 25, 2022
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Memory Corruption
The crc32_big function in crc32.c in zlib 1.2.8 might
CVE-2016-9843
- May 23, 2017
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
inffast.c in zlib 1.2.8 might
CVE-2016-9841
- May 23, 2017
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
inftrees.c in zlib 1.2.8 might
CVE-2016-9840
- May 23, 2017
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
The inflateMark function in inflate.c in zlib 1.2.8 might
CVE-2016-9842
8.8 - High
- May 23, 2017
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
1335
inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file
CVE-2005-1849
- July 26, 2005
inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.
zlib 1.2 and later versions
CVE-2005-2096
- July 06, 2005
zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x
CVE-2004-0797
- October 20, 2004
The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).
Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf
CVE-2003-0107
- March 07, 2003
Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may
CVE-2002-0059
- March 15, 2002
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.
