CVE-2018-25032

HIGH

zlib <1.2.12 - Memory Corruption

Title source: llm

Description

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Exploits (3)

nomisec STUB 1 stars

by Trinadh465 · poc

https://github.com/Trinadh465/external_zlib_4.4_CVE-2018-25032

View Code ZIP pw:eip

nomisec STUB

by Satheesh575555 · poc

https://github.com/Satheesh575555/external_zlib-1.2.7_CVE-2018-25032

View Code ZIP pw:eip

nomisec WORKING POC

by Trinadh465 · poc

https://github.com/Trinadh465/external_zlib_AOSP10_r33_CVE-2018-25032

View Code ZIP pw:eip

References (29)

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/33

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/35

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2022/May/38

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/03/25/2

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/03/26/1

[Third Party Advisory] https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf

[Patch, Third Party Advisory] https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531

[Patch, Third Party Advisory] https://github.com/madler/zlib/compare/v1.2.11...v1.2.12

[Issue Tracking, Patch, Third Party Advisory] https://github.com/madler/zlib/issues/605

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/

[Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/

[Third Party Advisory] https://security.gentoo.org/glsa/202210-42

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20220526-0009/

... and 9 more

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 23.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-787

Status published

Affected Products (50)

nokogiri/nokogiri < 1.13.4

python/python < 3.7.14

zlib/zlib < 1.2.12

debian/debian_linux

fedoraproject/fedora

apple/mac_os_x < 10.15.7

apple/mac_os_x

... and 35 more

Timeline

Published Mar 25, 2022

Tracked Since Feb 18, 2026