Global Buffer Overflow in GNU Gzip LZH Decompression
CVE-2026-41992

6.9MEDIUM

Key Information:

Vendor: Gnu
Status: Gzip
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-41992?

GNU gzip suffers from a global buffer overflow vulnerability in its LZH decompression logic. This vulnerability arises due to the improper reuse of a shared global state across different decompression formats within a single execution instance. Specifically, when decompressing a specially crafted LZW file followed by a carefully constructed LZH file using a single 'gzip -d' command, an attacker can manipulate the shared global state, triggering an out-of-bounds read during the LZH decompression process. This flaw results from the LZH logic utilizing stale values retained in the global array, which can lead to undesirable behavior and potential data leakage.

Affected Version(s)

gzip 0 <= 1.14

References

https://cert.pl/en/posts/2026/04/CVE-2026-41991/

third-party-advisory

https://www.gnu.org/software/gzip/

product

https://cgit.git.savannah.gnu.org/cgit/gzip.git/commit/?i...

patch

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Michał Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

CVE-2026-41992 Data

JSON

Gnu

What is CVE-2026-41992?

Affected Version(s)

References

CVSS V4

Timeline

Credit