The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HApple iOS
OSApple< 11Apple Mac Os X
OSApple10.0.0 – 10.13.0 (bez)Apple tvOS
OSApple< 11.0Apple watchOS
OSApple< 4Canonical Ubuntu
OSCanonical16.0418.04Debian
OSDebian8.0Node.js
APPNodejs6.9.0 – 6.10.2 (bez)7.0.0 – 7.6.0 (bez)4.0.0 – 4.1.24.2.0 – 4.8.2 (bez)6.0.0 – 6.8.1Opensuse Leap
OSOpensuse42.142.2Opensuse
OSOpensuse13.2Oracle Database Server
APPOracle18cOracle JDK
APPOracle1.6.01.7.01.8.0Oracle Jre
APPOracle1.6.01.7.01.8.0Oracle MySQL
APPOracle5.5.0 – 5.5.615.6.0 – 5.6.415.7.0 – 5.7.238.0.0 – 8.0.12Red Hat Enterprise Linux Desktop
OSRedhat6.07.0Red Hat Enterprise Linux Eus
OSRedhat7.47.5Red Hat Enterprise Linux Server
OSRedhat6.07.0Red Hat Enterprise Linux Workstation
OSRedhat6.07.0Red Hat Satellite
APPRedhat5.8Zlib
APPZlib1.2.3.4 – 1.2.9 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
References
Related vulnerabilities
CVE-2026-24061CRITICAL9.8⚠ KEVPL ✓ten sam produkt
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
CVE-2025-32463CRITICAL9.3⚠ KEVPL ✓ten sam produkt
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
CVE-2025-49113CRITICAL9.9⚠ KEVPL ✓ten sam produkt
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio