CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

References

Affected packages

Git / github.com/madler/zlib

Affected ranges

Type

GIT

Repo

https://github.com/madler/zlib

Events

Introduced

Last affected

21767c654d31d2dccdde4330529775c6c5fd5389

Fixed

1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

Fixed

eff308af425b67093bab25f80f1ae950166bece1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.2.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/nodejs/node

Events

Introduced

Last affected

cf41627411886000429bde058a6594fb7f6d6d47

Introduced

7162e686b18d22b4385fa5c04274fb04dbd810c7

Fixed

79c57d0cc55db834177d2f8ce4b4d83109a23dc9

Introduced

Fixed

9de633dea8c50bc7d88b62d190e8c3c7242c0f13

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "10.0"
        },
        {
            "introduced": "16.0"
        },
        {
            "fixed": "16.1"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "9.1"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.6

v0.1.0

v0.1.1

v0.1.10

v0.1.100

v0.1.101

v0.1.102

v0.1.103

v0.1.104

v0.1.11

v0.1.12

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.18

v0.1.19

v0.1.2

v0.1.20

v0.1.21

v0.1.22

v0.1.23

v0.1.24

v0.1.25

v0.1.26

v0.1.27

v0.1.28

v0.1.29

v0.1.3

v0.1.30

v0.1.31

v0.1.32

v0.1.33

v0.1.4

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v0.1.92

v0.1.93

v0.1.94

v0.1.95

v0.1.96

v0.1.97

v0.1.98

v0.1.99

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8

v0.4.0

v0.5.0

v0.5.1

v0.5.10

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.5-rc1

v0.5.6

v0.5.7

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.7.0

v0.7.2

v0.7.3

v0.71

v0.79

v0.8

v0.9

v0.91

v0.92

v0.93

v0.94

v0.95

v0.99

v1.*

v1.0-pre

v1.0.1

v1.0.1-release

v1.0.2

v1.0.2-release

v1.0.3

v1.0.4

v1.0.5

v1.0.7

v1.0.8

v1.0.9

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2.0

v1.2.0.1

v1.2.0.2

v1.2.0.3

v1.2.0.4

v1.2.0.5

v1.2.0.6

v1.2.0.7

v1.2.0.8

v1.2.1

v1.2.1.1

v1.2.1.2

v1.2.10

v1.2.11

v1.2.12

v1.2.2

v1.2.2.1

v1.2.2.2

v1.2.2.3

v1.2.2.4

v1.2.3

v1.2.3.1

v1.2.3.2

v1.2.3.3

v1.2.3.4

v1.2.3.5

v1.2.3.6

v1.2.3.7

v1.2.3.8

v1.2.3.9

v1.2.4

v1.2.4-pre1

v1.2.4-pre2

v1.2.4.1

v1.2.4.2

v1.2.4.3

v1.2.4.4

v1.2.4.5

v1.2.5

v1.2.5.1

v1.2.5.2

v1.2.5.3

v1.2.6

v1.2.6.1

v1.2.7

v1.2.7.1

v1.2.7.2

v1.2.7.3

v1.2.8

v1.2.9

v1.3.0

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.4

v1.7.0

v1.7.1

v10.*

v10.0.0

v16.*

v16.0.0

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.2.0

v2.2.1

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.4.0

v2.5.0

v3.*

v3.0.0

v9.*

v9.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37434.json"

vanir_signatures

[
    {
        "source": "https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1",
        "target": {
            "file": "inflate.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "signature_type": "Line",
        "id": "CVE-2022-37434-9cc3d83a",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "173736815835493425863590097173702475962",
                "129220127786011023031116653503455261516",
                "158253382744967794372166426227829451328",
                "208646129568712116042670616434092925745",
                "267897132422978847766130599021982102399",
                "89021460256006972424927287623588351745",
                "257784892650917064621950304120855216852"
            ]
        }
    }
]

vanir_signatures_modified

"2026-04-11T23:42:04Z"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "35"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "36"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "37"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "15.7.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "fixed": "15.7.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "11.0"
            },
            {
                "fixed": "11.7.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "12.0.0"
            },
            {
                "fixed": "12.6.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.7.31"
            },
            {
                "fixed": "3.7.34"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.11.0"
            },
            {
                "fixed": "3.11.22"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.3.0"
            },
            {
                "fixed": "4.3.16"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.6.0"
            },
            {
                "fixed": "4.6.3"
            }
        ]
    }
]