{"id":"USN-8512-1","summary":"gzip vulnerabilities","details":"It was discovered that Gzip's gzexe utility handled temporary files in an\ninsecure manner. When the mktemp utility was not available, gzexe\nconstructed a temporary file path based on the process ID, which could be\npredicted. A local attacker could possibly use this issue to overwrite\narbitrary files via a symlink attack. (CVE-2026-41991)\n\nIt was discovered that Gzip incorrectly handled certain compressed files.\nAn attacker could possibly use this issue to obtain sensitive information\nor cause Gzip to crash, resulting in a denial of service. (CVE-2026-41992)","modified":"2026-07-06T20:44:29.397826088Z","published":"2026-07-06T12:52:06Z","related":["UBUNTU-CVE-2026-41991","UBUNTU-CVE-2026-41992"],"upstream":["CVE-2026-41991","CVE-2026-41992","UBUNTU-CVE-2026-41991","UBUNTU-CVE-2026-41992"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8512-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-41991"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-41992"}],"affected":[{"package":{"name":"gzip","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/gzip?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.10-4ubuntu4.2"}]}],"versions":["1.10-4ubuntu1","1.10-4ubuntu2","1.10-4ubuntu3","1.10-4ubuntu4","1.10-4ubuntu4.1"],"ecosystem_specific":{"binaries":[{"binary_name":"gzip","binary_version":"1.10-4ubuntu4.2"},{"binary_version":"1.10-4ubuntu4.2","binary_name":"gzip-win32"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-41991","severity":[{"score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-41992","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8512-1.json"}},{"package":{"name":"gzip","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/gzip?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.12-1ubuntu3.2"}]}],"versions":["1.12-1ubuntu1","1.12-1ubuntu2","1.12-1ubuntu3","1.12-1ubuntu3.1"],"ecosystem_specific":{"binaries":[{"binary_name":"gzip","binary_version":"1.12-1ubuntu3.2"},{"binary_version":"1.12-1ubuntu3.2","binary_name":"gzip-win32"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-41991","severity":[{"score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-41992","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8512-1.json"}},{"package":{"name":"gzip","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/gzip?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.14-1~exp2ubuntu1.1"}]}],"versions":["1.13-1ubuntu4","1.13-1ubuntu5","1.14-1~exp2ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.14-1~exp2ubuntu1.1","binary_name":"gzip"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-41991","severity":[{"score":"CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-41992","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8512-1.json"}}],"schema_version":"1.7.5"}