{"id":"CVE-2022-37434","details":"zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).","modified":"2026-02-24T11:43:04.403783Z","published":"2022-08-05T07:15:07.240Z","related":["ALSA-2022:7106","ALSA-2022:7314","ALSA-2022:7793","ALSA-2022:8291","CGA-g9jx-jcxm-9p6j","MGASA-2022-0328","SUSE-SU-2022:2845-1","SUSE-SU-2022:2846-1","SUSE-SU-2022:2847-1","SUSE-SU-2022:2947-1","openSUSE-SU-2022:2947-1","openSUSE-SU-2023:0365-1","openSUSE-SU-2023:0366-1","openSUSE-SU-2024:12270-1","openSUSE-SU-2024:12298-1","openSUSE-SU-2024:12367-1","openSUSE-SU-2024:12843-1","openSUSE-SU-2024:13367-1","openSUSE-SU-2024:14386-1"],"references":[{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/37"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/38"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/42"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/08/05/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/08/09/1"},{"type":"ADVISORY","url":"https://github.com/curl/curl/issues/9271"},{"type":"ADVISORY","url":"https://github.com/ivd38/zlib_overflow"},{"type":"ADVISORY","url":"https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063"},{"type":"ADVISORY","url":"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"},{"type":"ADVISORY","url":"https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220901-0005/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230427-0007/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213488"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213489"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213490"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213491"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213493"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213494"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5218"},{"type":"REPORT","url":"https://github.com/curl/curl/issues/9271"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2022/08/09/1"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2022/Oct/37"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2022/Oct/38"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"type":"ARTICLE","url":"http://seclists.org/fulldisclosure/2022/Oct/42"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2022/08/05/2"},{"type":"ARTICLE","url":"http://www.openwall.com/lists/oss-security/2022/08/09/1"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/"},{"type":"EVIDENCE","url":"https://github.com/curl/curl/issues/9271"},{"type":"EVIDENCE","url":"https://github.com/ivd38/zlib_overflow"},{"type":"EVIDENCE","url":"https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063"},{"type":"EVIDENCE","url":"https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/madler/zlib","events":[{"introduced":"0"},{"fixed":"1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d"},{"introduced":"0"},{"fixed":"eff308af425b67093bab25f80f1ae950166bece1"}]}],"versions":["v0.71","v0.79","v0.8","v0.9","v0.91","v0.92","v0.93","v0.94","v0.95","v0.99","v1.0-pre","v1.0.1","v1.0.2","v1.0.4","v1.0.5","v1.0.7","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.2.0","v1.2.0.1","v1.2.0.2","v1.2.0.3","v1.2.0.4","v1.2.0.5","v1.2.0.6","v1.2.0.7","v1.2.0.8","v1.2.1","v1.2.1.1","v1.2.1.2","v1.2.10","v1.2.11","v1.2.12","v1.2.2","v1.2.2.1","v1.2.2.2","v1.2.2.3","v1.2.2.4","v1.2.3","v1.2.3.1","v1.2.3.2","v1.2.3.3","v1.2.3.4","v1.2.3.5","v1.2.3.6","v1.2.3.7","v1.2.3.8","v1.2.3.9","v1.2.4","v1.2.4-pre1","v1.2.4-pre2","v1.2.4.1","v1.2.4.2","v1.2.4.3","v1.2.4.4","v1.2.4.5","v1.2.5","v1.2.5.1","v1.2.5.2","v1.2.5.3","v1.2.6","v1.2.6.1","v1.2.7","v1.2.7.1","v1.2.7.2","v1.2.7.3","v1.2.8","v1.2.9"],"database_specific":{"vanir_signatures":[{"id":"CVE-2022-37434-9cc3d83a","deprecated":false,"signature_version":"v1","source":"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1","digest":{"threshold":0.9,"line_hashes":["173736815835493425863590097173702475962","129220127786011023031116653503455261516","158253382744967794372166426227829451328","208646129568712116042670616434092925745","267897132422978847766130599021982102399","89021460256006972424927287623588351745","257784892650917064621950304120855216852"]},"signature_type":"Line","target":{"file":"inflate.c"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37434.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wordpress/wordpress-develop","events":[{"introduced":"5be7b6aec4ab36c3e1749efff681c7db6632a940"},{"fixed":"c07e9f03710f86e788bb0a49a7c3292e2d79a84b"},{"introduced":"7c76a1b79e21176b176b5b6d6b03151f8eea4b55"},{"fixed":"68b26e7107d944e32edc30f6e7e2d533c732729b"},{"introduced":"ec8826ed50f8ce0eea39900eeeba09a9d621f00e"},{"fixed":"140d6ad7bf67c9c2d61eddaa17815029c06fd2bd"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37434.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}