CVE-2022-37434

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-37434
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37434.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-37434
Downstream
Related
Published
2022-08-05T07:15:07Z
Modified
2025-10-15T14:07:38.395989Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

References

Affected packages

Git / github.com/madler/zlib

Affected ranges

Type
GIT
Repo
https://github.com/madler/zlib
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
Fixed
eff308af425b67093bab25f80f1ae950166bece1

Affected versions

v0.*

v0.71
v0.79
v0.8
v0.9
v0.91
v0.92
v0.93
v0.94
v0.95
v0.99

v1.*

v1.0-pre
v1.0.1
v1.0.2
v1.0.4
v1.0.5
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.1.4
v1.2.0
v1.2.0.1
v1.2.0.2
v1.2.0.3
v1.2.0.4
v1.2.0.5
v1.2.0.6
v1.2.0.7
v1.2.0.8
v1.2.1
v1.2.1.1
v1.2.1.2
v1.2.10
v1.2.11
v1.2.12
v1.2.2
v1.2.2.1
v1.2.2.2
v1.2.2.3
v1.2.2.4
v1.2.3
v1.2.3.1
v1.2.3.2
v1.2.3.3
v1.2.3.4
v1.2.3.5
v1.2.3.6
v1.2.3.7
v1.2.3.8
v1.2.3.9
v1.2.4
v1.2.4-pre1
v1.2.4-pre2
v1.2.4.1
v1.2.4.2
v1.2.4.3
v1.2.4.4
v1.2.4.5
v1.2.5
v1.2.5.1
v1.2.5.2
v1.2.5.3
v1.2.6
v1.2.6.1
v1.2.7
v1.2.7.1
v1.2.7.2
v1.2.7.3
v1.2.8
v1.2.9

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-37434-07c9cb0d",
        "deprecated": false,
        "target": {
            "file": "inflate.c"
        },
        "source": "https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "237743538351005164762023342714318221021",
                "330832068287443740046968560104034145064",
                "266760058359730475447498765381871161529",
                "1595552787892191466323851023061026310",
                "295123507458096674929206977295285826796",
                "236361182612944652517978493230343596138",
                "298342189222048754713647989854972646690"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line"
    },
    {
        "id": "CVE-2022-37434-9cc3d83a",
        "deprecated": false,
        "target": {
            "file": "inflate.c"
        },
        "source": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "173736815835493425863590097173702475962",
                "129220127786011023031116653503455261516",
                "158253382744967794372166426227829451328",
                "208646129568712116042670616434092925745",
                "267897132422978847766130599021982102399",
                "89021460256006972424927287623588351745",
                "257784892650917064621950304120855216852"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line"
    }
]