{"id":"CVE-2022-37434","details":"zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).","modified":"2026-04-10T04:49:53.960126Z","published":"2022-08-05T07:15:07.240Z","related":["ALSA-2022:7106","ALSA-2022:7314","ALSA-2022:7793","ALSA-2022:8291","CGA-g9jx-jcxm-9p6j","MGASA-2022-0328","SUSE-SU-2022:2845-1","SUSE-SU-2022:2846-1","SUSE-SU-2022:2847-1","SUSE-SU-2022:2947-1","openSUSE-SU-2022:2947-1","openSUSE-SU-2023:0365-1","openSUSE-SU-2023:0366-1","openSUSE-SU-2024:12270-1","openSUSE-SU-2024:12298-1","openSUSE-SU-2024:12367-1","openSUSE-SU-2024:12843-1","openSUSE-SU-2024:13367-1","openSUSE-SU-2024:14386-1"],"references":[{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/42"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230427-0007/"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/37"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/41"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/08/05/2"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220901-0005/"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213489"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213493"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213494"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5218"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213488"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213490"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT213491"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Oct/38"},{"type":"REPORT","url":"https://github.com/curl/curl/issues/9271"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1"},{"type":"FIX","url":"http://www.openwall.com/lists/oss-security/2022/08/09/1"},{"type":"FIX","url":"https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d"},{"type":"EVIDENCE","url":"https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764"},{"type":"EVIDENCE","url":"https://github.com/ivd38/zlib_overflow"},{"type":"EVIDENCE","url":"https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/madler/zlib","events":[{"introduced":"0"},{"last_affected":"21767c654d31d2dccdde4330529775c6c5fd5389"},{"fixed":"1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d"},{"fixed":"eff308af425b67093bab25f80f1ae950166bece1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.12"}]}},{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"0"},{"last_affected":"cf41627411886000429bde058a6594fb7f6d6d47"},{"introduced":"7162e686b18d22b4385fa5c04274fb04dbd810c7"},{"fixed":"79c57d0cc55db834177d2f8ce4b4d83109a23dc9"},{"introduced":"0"},{"fixed":"9de633dea8c50bc7d88b62d190e8c3c7242c0f13"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"10.0"},{"introduced":"16.0"},{"fixed":"16.1"},{"introduced":"0"},{"fixed":"9.1"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.4","v0.0.6","v0.1.0","v0.1.1","v0.1.10","v0.1.100","v0.1.101","v0.1.102","v0.1.103","v0.1.104","v0.1.11","v0.1.12","v0.1.13","v0.1.14","v0.1.15","v0.1.16","v0.1.17","v0.1.18","v0.1.19","v0.1.2","v0.1.20","v0.1.21","v0.1.22","v0.1.23","v0.1.24","v0.1.25","v0.1.26","v0.1.27","v0.1.28","v0.1.29","v0.1.3","v0.1.30","v0.1.31","v0.1.32","v0.1.33","v0.1.4","v0.1.5","v0.1.6","v0.1.7","v0.1.8","v0.1.9","v0.1.92","v0.1.93","v0.1.94","v0.1.95","v0.1.96","v0.1.97","v0.1.98","v0.1.99","v0.2.0","v0.3.0","v0.3.1","v0.3.2","v0.3.4","v0.3.5","v0.3.6","v0.3.7","v0.3.8","v0.4.0","v0.5.0","v0.5.1","v0.5.10","v0.5.2","v0.5.3","v0.5.4","v0.5.5","v0.5.5-rc1","v0.5.6","v0.5.7","v0.5.8","v0.5.9","v0.6.0","v0.6.1","v0.7.0","v0.7.2","v0.7.3","v0.71","v0.79","v0.8","v0.9","v0.91","v0.92","v0.93","v0.94","v0.95","v0.99","v1.0-pre","v1.0.1","v1.0.1-release","v1.0.2","v1.0.2-release","v1.0.3","v1.0.4","v1.0.5","v1.0.7","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.2.0","v1.2.0.1","v1.2.0.2","v1.2.0.3","v1.2.0.4","v1.2.0.5","v1.2.0.6","v1.2.0.7","v1.2.0.8","v1.2.1","v1.2.1.1","v1.2.1.2","v1.2.10","v1.2.11","v1.2.12","v1.2.2","v1.2.2.1","v1.2.2.2","v1.2.2.3","v1.2.2.4","v1.2.3","v1.2.3.1","v1.2.3.2","v1.2.3.3","v1.2.3.4","v1.2.3.5","v1.2.3.6","v1.2.3.7","v1.2.3.8","v1.2.3.9","v1.2.4","v1.2.4-pre1","v1.2.4-pre2","v1.2.4.1","v1.2.4.2","v1.2.4.3","v1.2.4.4","v1.2.4.5","v1.2.5","v1.2.5.1","v1.2.5.2","v1.2.5.3","v1.2.6","v1.2.6.1","v1.2.7","v1.2.7.1","v1.2.7.2","v1.2.7.3","v1.2.8","v1.2.9","v1.3.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.1","v1.6.0","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v1.7.0","v1.7.1","v10.0.0","v16.0.0","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0","v2.2.1","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v3.0.0","v9.0.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"35"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"fixed":"15.7.1"}]},{"events":[{"introduced":"0"},{"fixed":"15.7.1"}]},{"events":[{"introduced":"11.0"},{"fixed":"11.7.1"}]},{"events":[{"introduced":"12.0.0"},{"fixed":"12.6.1"}]},{"events":[{"introduced":"3.7.31"},{"fixed":"3.7.34"}]},{"events":[{"introduced":"3.11.0"},{"fixed":"3.11.22"}]},{"events":[{"introduced":"4.3.0"},{"fixed":"4.3.16"}]},{"events":[{"introduced":"4.6.0"},{"fixed":"4.6.3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37434.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}