CVE-2026-22184 - Global Buffer Overflow in zlib's `untgz` Utility (<= 1.3.1.2) - Full Analysis & Exploit Example

zlib is one of the world’s most widely used data compression libraries, present in everything from Linux distributions to Windows, macOS, mobile applications, and even IoT devices. While its primary compression routines are robust and have stood the test of time, auxiliary tools sometimes slip through the cracks of rigorous testing. One such case is recently identified as CVE-2026-22184—a global buffer overflow in the untgz utility shipped *as a demonstration tool* with zlib, up to and including version 1.3.1.2.

This post breaks down the technical details, the scope of impact, demonstrates how the vulnerability works, and provides code and reference links.

What Is CVE-2026-22184?

Summary:
All zlib versions up to and including 1.3.1.2 ship a *standalone demonstration utility* called untgz under the contrib/untgz directory. The untgz tool is *not* part of the main compression library and is not included in most built zlib binaries or packages by default.

The Bug:
When a user invokes untgz with an *extremely long archive file name* as a command-line argument, the program copies this filename into a fixed-size global buffer. If the input filename exceeds the buffer size, it causes a classic stack-based buffer overflow—potentially allowing code execution, depending on how the tool is compiled and run.

Impact:
- DOES NOT impact the libz shared library or the main zlib compression/decompression routines.
- ONLY affects those who build and execute the untgz sample tool from contrib/untgz.

Vulnerable Code

Within contrib/untgz/untgz.c, the filename from the command line is copied directly into a fixed-size global buffer, typically like this:

char tgzname[1024];

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("usage: untgz archive.tgz\n");
        exit(1);
    }
    strcpy(tgzname, argv[1]); // <-- VULNERABLE
    // ...
}

The problem? strcpy() does not check for length. If argv[1] is longer than 1024 bytes, it will overflow tgzname.

Safer code would have been

strncpy(tgzname, argv[1], sizeof(tgzname)-1);
tgzname[sizeof(tgzname)-1] = '\';

Triggering the Overflow

1. Build untgz (make in contrib/untgz)

Create a symlink or file with a *very* long name (longer than 1024 bytes)

3. Call: ./untgz <very-long-filename>

Below is a proof of concept (PoC) that crashes untgz using the vulnerability

# Create a dummy file with a very long name
python3 -c "print('A'*120)" > LONGNAME
mv LONGNAME $(python3 -c "print('A'*120)").tgz

# Now run untgz on the extremely long filename
./untgz $(python3 -c "print('A'*120)").tgz

You should see a crash, often with “Segmentation fault.”

On platforms with exec stack or address randomization disabled, a user may craft the overflowing argument to control the return address, potentially resulting in arbitrary code execution (though this is unlikely in default modern setups).

References

- Official zlib GitHub repo - untgz.c
- CVE-2026-22184 at MITRE (to appear)
- zlib changelog and release notes

Upgrade Recommendation:

This bug is fixed in zlib after version 1.3.1.2. If you use untgz, pull the latest version from GitHub or ensure you use a patched version.

For package maintainers:

- Many distributions never ship the contrib/untgz tool by default.

Conclusion

CVE-2026-22184 is a cautionary tale about demonstration code:
While the core zlib remains safe, even auxiliary tools deserve a security audit. If you must use untgz, update today—or better, use more robust and well-maintained tar/gzip utilities for production workloads.

Stay safe!

If you found this useful, share with your team, and always audit third-party tools and demo code, even if they come from respected libraries.

Timeline

Published on: 01/07/2026 20:25:19 UTC
Last modified on: 01/15/2026 14:16:27 UTC