Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
1.7

Ruby Zlib Interface Fails to Ensure Safe Data Storage

CVE-2026-27820 GHSA-g857-hhfv-j68w
Summary

A flaw in the Ruby Zlib interface can cause data to be stored in an incorrect location, potentially leading to memory corruption. This issue affects users of the affected versions who decompress data from external sources. Update to the latest fixed version to ensure safe data handling.

What to do
  • Update zlib to version 3.2.3.
  • Update zlib to version 3.1.2.
  • Update zlib to version 3.0.1.
Affected software
Ecosystem VendorProductAffected versions
rubygems – zlib >= 3.2.0, < 3.2.3
>= 3.1.0, < 3.1.2
< 3.0.1
Fix: upgrade to 3.2.3
Original title
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The...
Original description
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
nvd CVSS4.0 1.7
Vulnerability type
CWE-120 Classic Buffer Overflow
CWE-131
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 16 Apr 2026