zlib: Critical vulnerability in untgz tool allows code smuggling – no update yet
A critical vulnerability in the untgz tool of the in many operating systems and programs included zlib library allows code smuggling.
(Image: Skorzewiak / Shutterstock.com)
In a tool from the zlib compression library, a library which is included in numerous programs and operating systems, IT researchers have discovered a critical security vulnerability. It can potentially allow the injection and execution of malicious code. An update to patch the security hole is not yet available.
On the Full Disclosure mailing list, which is no longer very active, IT researcher Ronald Edgerson has posted information about the security vulnerability. In the TGZfname() function of zlib's untgz tool, which handles the decompression of .tar.gz archives (or often simply .tgz), a buffer overflow can occur. The cause is the copying of user-provided data without a length check using a strcpy() call to a global static buffer of 1024 bytes. By providing a larger archive name, a write operation occurs outside the intended memory boundaries, leading to memory corruption. The vulnerability has now received the vulnerability entry CVE-2026-22184 (CVSS4 9.3, risk “critical”).
The untgz tool is a user contributed program from the contrib-folder. The programs in that folder aren’t supported and therefore not a part of every zlib package.
Impact of the Security Vulnerability
Edgerson explains that the consequences could include a crash (Denial-of-Service, DoS), memory corruption of subsequent global objects, undefined behavior, or even the execution of injected code. However, there are still dependencies on the compiler used, the system's processor architecture, build flags used, and the memory layout. The vulnerable code is executed before any parsing or checks of the archive, making the vulnerability trivially exploitable by simply calling it with a prepared command-line parameter. Since global memory is affected, the memory errors can have effects beyond the function and later influence program behavior.
Videos by heise
zlib up to and including the current version 1.3.1.2 is affected, as Vulncheck indicates, which created and published the CVE vulnerability entry. Updated software is not yet available. At the time of the report, there is still no indication of corrections in the source code in the zlib GitHub project. However, a problem report was recently submitted.
In the fall of 2022, the zlib library last drew attention due to a critical security vulnerability. There too, attackers could exploit the security-relevant error to inject and execute malicious code. At that time, however, updates were available promptly.
Emphazed that the untgz tool is from the contrib folder with user contributed software which is by definition unsupported. The tool therefore isn’t part of all zlib packages.
(dmk)
