zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads...

1.7 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

Description

zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.

Basic Information

ID CVE-2026-27820

Source GitHub_M

Published Apr 16, 2026 at 17:27

Modified Apr 16, 2026 at 18:20

Affected Product

Vendor ruby

Product zlib

Version < 3.0.1

Affected Versions ruby zlib < 3.0.1
ruby zlib >= 3.1.0, < 3.1.2
ruby zlib >= 3.2.0, < 3.2.3

CWE Classification

CWE-120 CWE-131

References

{
    "lastseen": "",
    "description": "zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.",
    "published": "2026-04-16T17:27:48.944Z",
    "modified": "2026-04-16T18:20:21.451Z",
    "type": "cve",
    "title": "zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption",
    "source": "GitHub_M",
    "references": "https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w\nhttps://hackerone.com/reports/3467067",
    "id": "CVE-2026-27820",
    "bulletinFamily": "",
    "cwe": [
        "CWE-120",
        "CWE-131"
    ],
    "cvelist": null,
    "sourceData": "ruby zlib < 3.0.1\nruby zlib >= 3.1.0, < 3.1.2\nruby zlib >= 3.2.0, < 3.2.3",
    "sourceHref": "",
    "cvss": {
        "score": 1.7,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zlib",
    "version": "< 3.0.1",
    "vendor": "ruby",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption_CVE-2026-27820