Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Ruby's zlib interface allows attackers to corrupt memory
DEBIAN-CVE-2026-27820
Summary
Old versions of the zlib Ruby interface can be tricked into overwriting memory with attacker-controlled data, causing unpredictable behavior. This issue affects Ruby applications using zlib for compression or decompression. Update to version 3.0.1, 3.1.2, or 3.2.3 to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Debian:11 | debian | ruby2.7 | All versions |
| Debian:12 | debian | ruby3.1 | All versions |
| Debian:13 | debian | ruby3.3 | All versions |
| Debian:14 | debian | ruby3.3 | All versions |
Original title
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The...
Original description
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
- https://security-tracker.debian.org/tracker/CVE-2026-27820 Vendor Advisory
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026