Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector because attacker must supply controlled files to the gzip process; no privileges needed per PR:N; only confidentiality impacted via out-of-bounds read with no write or availability consequence.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.
This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
AnalysisAI
Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control two input files processed sequentially within a single gzip -d invocation: the first file must be a specially crafted LZW-format (Unix compress) archive to poison the shared global array, and the second must be a specially crafted LZH-format archive to trigger the out-of-bounds read using the poisoned state - the ordering is mandatory. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 6.9 reflects a meaningful but constrained vulnerability: local attack vector (AV:L) limits opportunistic exploitation, while low complexity (AC:L), no privileges required (PR:N), and high confidentiality impact (VC:H) indicate that exploitation, when access is available, is straightforward and damaging. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls files submitted to a backend service that invokes gzip for archive decompression - such as a CI/CD artifact processor or a file upload decompression endpoint - submits a crafted LZW archive followed by a crafted LZH archive as part of the same batch job. The gzip process decompresses the LZW file first, leaving attacker-controlled stale values in the shared global array, then decompresses the LZH file using those poisoned values, triggering an out-of-bounds read that may expose adjacent heap or stack memory contents to the attacker. … |
| Remediation | Apply the upstream fix at commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681 in the GNU gzip cgit repository (https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?id=63dbf6b3b9e6e781df1a6a64e609b10e23969681). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-126 – Buffer Over-read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40069
GHSA-qxh4-rprf-2mmj