CVE-2026-27171

low-risk

Published 2026-02-18

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.9/10 Low

LOCAL / HIGH complexity

Affected Products (1)

Zlib

Affected Vendors

Zlib

References (6)

Product https://7asecurity.com/blog/2026/02/zlib-7asecurity-audit/

Technical Description https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

Exploit https://github.com/madler/zlib/issues/904

Release Notes https://github.com/madler/zlib/releases/tag/v1.3.2

Product https://ostif.org/zlib-audit-complete/

Technical Description https://7asecurity.com/reports/pentest-report-zlib-RC1.1.pdf

/ 100

low-risk

Severity 8/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal