A critical global buffer overflow vulnerability has been identified in the zlib untgz utility, specifically affecting version 1.3.1.2. The flaw resides in the TGZfname() function, where an unbounded strcpy() operation copies user-supplied archive names from command-line arguments into a fixed-size global buffer of 1,024 bytes without proper length validation. Security researchers demonstrated that supplying an archive name exceeding this limit can trigger an out-of-bounds write, leading to memory corruption, denial-of-service, or potentially arbitrary code execution, depending on system configuration and compiler settings.
The vulnerability, tracked as CVE-2026-22184 with a CVSS score of 9.3, is trivially exploitable via command-line input and does not require any archive parsing or validation to trigger. Successful exploitation was confirmed using AddressSanitizer, which detected a global buffer overflow when the utility was invoked with a 4,096-byte filename. The issue is classified under CWE-120 (Buffer Copy without Checking Size of Input) and poses significant risk to systems utilizing the affected version of the untgz utility for archive extraction or processing.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
A critical vulnerability in zlib, tracked as CVE-2026-22184, was publicly reported as a global buffer overflow issue. Reporting described the flaw as exploitable via invocation of untgz and assigned it a CVSS score of 9.3.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.