zlib CVE Vulnerabilities & Metrics

Focus on zlib vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About zlib Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with zlib. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total zlib CVEs: 8
Earliest CVE date: 15 Mar 2002, 05:00 UTC
Latest CVE date: 07 Jan 2026, 21:16 UTC

Latest CVE reference: CVE-2026-22184

Rolling Stats

30-day Count (Rolling): 1
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical zlib CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.84

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	6
7.0-8.9	5
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS zlib CVEs

These are the five CVEs with the highest CVSS scores for zlib, sorted by severity first and recency.

CVE-2016-9843 zlib Published on 23 May 2017, 04:29 UTC (CVSS: 7.5)
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
CVE-2016-9841 zlib Published on 23 May 2017, 04:29 UTC (CVSS: 7.5)
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
CVE-2005-2096 zlib Published on 06 Jul 2005, 04:00 UTC (CVSS: 7.5)
zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
CVE-2003-0107 zlib Published on 07 Mar 2003, 05:00 UTC (CVSS: 7.5)
Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
CVE-2002-0059 zlib Published on 15 Mar 2002, 05:00 UTC (CVSS: 7.5)
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.

All CVEs for zlib

CVE-2026-22184 zlib vulnerability CVSS: 0 07 Jan 2026, 21:16 UTC

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

CVE-2023-45853 zlib vulnerability CVSS: 0 14 Oct 2023, 02:15 UTC

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

CVE-2022-37434 zlib vulnerability CVSS: 0 05 Aug 2022, 07:15 UTC

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

CVE-2018-25032 zlib vulnerability CVSS: 5.0 25 Mar 2022, 09:15 UTC

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

CVE-2016-9843 zlib vulnerability CVSS: 7.5 23 May 2017, 04:29 UTC

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

CVE-2016-9842 zlib vulnerability CVSS: 6.8 23 May 2017, 04:29 UTC

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

CVE-2016-9841 zlib vulnerability CVSS: 7.5 23 May 2017, 04:29 UTC

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2016-9840 zlib vulnerability CVSS: 6.8 23 May 2017, 04:29 UTC

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

CVE-2015-1191 zlib vulnerability CVSS: 5.0 21 Jan 2015, 18:59 UTC

Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.

CVE-2013-0296 zlib vulnerability CVSS: 4.4 27 Apr 2014, 21:55 UTC

Race condition in pigz before 2.2.5 uses permissions derived from the umask when compressing a file before setting that file's permissions to match those of the original file, which might allow local users to bypass intended access permissions while compression is occurring.

CVE-2005-1849 zlib vulnerability CVSS: 5.0 26 Jul 2005, 04:00 UTC

inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.

CVE-2005-2096 zlib vulnerability CVSS: 7.5 06 Jul 2005, 04:00 UTC

zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.

CVE-2004-0797 zlib vulnerability CVSS: 2.1 20 Oct 2004, 04:00 UTC

The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).

CVE-2003-0107 zlib vulnerability CVSS: 7.5 07 Mar 2003, 05:00 UTC

Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.

CVE-2002-0059 zlib vulnerability CVSS: 7.5 15 Mar 2002, 05:00 UTC

The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed compression data.