CVE-2022-37434

CRITICAL9.8EPSS 92.5%

zlib - security update

Published: 8/5/2022Modified: 4/28/2026

Description

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Affected packages (6)

Alpine/zlibfrom 0, < 1.2.11-r4
Alpine/zlib-ngfrom 0, < 2.0.6-r0
Debian/libz-mingw-w64from 0
Debian/zlibfrom 0, < 1:1.2.11.dfsg-2+deb11u2
Debian/zlibfrom 0, < 1:1.2.11.dfsg-1+deb10u2
Debian/zlibfrom 0, < 1:1.2.11.dfsg-2+deb11u2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2022-37434
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-37434