CVE-2026-27171
LOWzlib < 1.3.2 - Denial of Service via crc32_combine64 Function
Title source: llmDescription
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
References (5)
Core 5
Core References
Various Sources
https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
Various Sources
https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf
Various Sources
https://ostif.org/zlib-audit-complete/
Issue Tracking
https://github.com/madler/zlib/issues/904
Release Notes
https://github.com/madler/zlib/releases/tag/v1.3.2
Scores
CVSS v3
2.9
EPSS
0.0020
EPSS Percentile
10.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1284
Status
published
Products (1)
zlib/zlib
< 1.3.2
Published
Feb 18, 2026
Tracked Since
Feb 18, 2026