Gzip
Monthly
Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.
Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.
Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.
Arbitrary file overwrite in GNU gzip's gzexe utility allows a local attacker to corrupt victim-accessible files via a symlink attack exploiting predictable temporary filename construction. When mktemp is absent from the user's PATH, gzexe falls back to PID-based temp file naming without exclusive creation or existence checks, enabling a TOCTOU race where a pre-planted symlink redirects the write to an attacker-chosen target. No public exploit or CISA KEV listing exists at time of analysis; impact is limited to low-integrity file overwrite with a CVSS 4.0 score of 2.0.