CVE-2022-37434

Name: CVE-2022-37434
Creator: NVD / NIST
Published: 2022-08-05T07:15:07.24+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 15.93%

Last modified Jun 17, 2026

CVE-2022-37434 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. EPSS estimates a 15.93% chance of exploitation in the next 30 days.

Description

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

15.93%

96.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Zlib	Zlib	<= 1.2.12
Fedoraproject	Fedora	35
Fedoraproject	Fedora	36
Fedoraproject	Fedora	37
Debian	Debian Linux	10.0
Netapp	Active Iq Unified Manager	All versions
Netapp	Hci	All versions
Netapp	Management Services For Element Software	All versions
Netapp	Oncommand Workflow Automation	All versions
Netapp	Ontap Select Deploy Administration Utility	All versions
Netapp	Storagegrid	All versions
Netapp	Hci Compute Node	All versions
Netapp	H300s Firmware	All versions
Netapp	H500s Firmware	All versions
Netapp	H700s Firmware	All versions
Apple	Ipados	< 15.7.1
Apple	Iphone Os	< 15.7.1
Apple	Iphone Os	>= 16.0, < 16.1
Apple	Macos	>= 11.0, < 11.7.1
Apple	Macos	>= 12.0.0, < 12.6.1
Apple	Watchos	< 9.1
Stormshield	Stormshield Network Security	>= 3.7.31, < 3.7.34
Stormshield	Stormshield Network Security	>= 3.11.0, < 3.11.22
Stormshield	Stormshield Network Security	>= 4.3.0, < 4.3.16
Stormshield	Stormshield Network Security	>= 4.6.0, < 4.6.3

References

http://seclists.org/fulldisclosure/2022/Oct/37Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/38Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/41Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/42Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/08/05/2Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/08/09/1Mailing List, Patch, Third Party Advisory
https://github.com/curl/curl/issues/9271Exploit, Issue Tracking, Third Party Advisory
https://github.com/ivd38/zlib_overflowExploit, Third Party Advisory
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063Exploit, Third Party Advisory
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1Patch, Third Party Advisory
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764Exploit, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0005/Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0007/Third Party Advisory
https://support.apple.com/kb/HT213488Third Party Advisory
https://support.apple.com/kb/HT213489Third Party Advisory
https://support.apple.com/kb/HT213490Third Party Advisory
https://support.apple.com/kb/HT213491Third Party Advisory
https://support.apple.com/kb/HT213493Third Party Advisory
https://support.apple.com/kb/HT213494Third Party Advisory
https://www.debian.org/security/2022/dsa-5218Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/37Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/38Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/41Mailing List, Third Party Advisory
http://seclists.org/fulldisclosure/2022/Oct/42Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/08/05/2Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/08/09/1Mailing List, Patch, Third Party Advisory
https://github.com/curl/curl/issues/9271Exploit, Issue Tracking, Third Party Advisory
https://github.com/ivd38/zlib_overflowExploit, Third Party Advisory
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063Exploit, Third Party Advisory
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1Patch, Third Party Advisory
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764Exploit, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0005/Third Party Advisory
https://security.netapp.com/advisory/ntap-20230427-0007/Third Party Advisory
https://support.apple.com/kb/HT213488Third Party Advisory
https://support.apple.com/kb/HT213489Third Party Advisory
https://support.apple.com/kb/HT213490Third Party Advisory
https://support.apple.com/kb/HT213491Third Party Advisory
https://support.apple.com/kb/HT213493Third Party Advisory
https://support.apple.com/kb/HT213494Third Party Advisory
https://www.debian.org/security/2022/dsa-5218Third Party Advisory
https://github.com/curl/curl/issues/9271Exploit, Issue Tracking, Third Party Advisory

Timeline

Published: Aug 5, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-37434?

How severe is CVE-2022-37434?

CVE-2022-37434 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 15.93% probability of exploitation in the next 30 days.

How do I fix CVE-2022-37434?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-37434?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST