CVE-2026-27171 PUBLISHED

Assigner: mitre
Reserved: 18.02.2026 Published: 18.02.2026 Updated: 18.02.2026

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 2.9

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	zlib
Product	zlib
Versions	Default: unaffected affected from 0 to 1.3.2 (excl.)

References

https://github.com/madler/zlib/issues/904
https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf
https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/
https://ostif.org/zlib-audit-complete/
https://github.com/madler/zlib/releases/tag/v1.3.2

Problem Types

CWE-1284 Improper Validation of Specified Quantity in Input CWE