What is CVE-2018-25032?

CVE-2018-25032 is a high-severity software vulnerability (Out-of-bounds write) with a CVSS score of 7.5. zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Is CVE-2018-25032 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 52%.

What products does CVE-2018-25032 affect?

Tracked products affected include Python. Check the version you run to see whether it is affected.

How do I fix CVE-2018-25032?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2018-25032

HIGH severity · CVSS 7.5 · Out-of-bounds write

7.5CVSS HIGH

Summary

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactNone

Integrity impactNone

Availability impactHigh

Exploit probability (EPSS)52%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products we track (1)

Python

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 ↗

Additional information

NVD record
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531Patch
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12Patch
http://seclists.org/fulldisclosure/2022/May/33Advisory
http://seclists.org/fulldisclosure/2022/May/35Advisory
http://seclists.org/fulldisclosure/2022/May/38Advisory
http://www.openwall.com/lists/oss-security/2022/03/25/2Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdfAdvisory
http://www.openwall.com/lists/oss-security/2022/03/26/1Advisory