Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-41991 and CVE-2026-41992) found in gzip software.
Analysis Summary
# Vulnerability: Multiple Flaws in GNU gzip (Insecure Temp Files & Buffer Over-read)
## CVE Details
- **CVE ID**: CVE-2026-41991, CVE-2026-41992
- **CVSS Score**: Not explicitly provided (Estimated: Medium to High)
- **CWE**:
- CWE-377 (Insecure Temporary File)
- CWE-126 (Buffer Over-read)
## Affected Systems
- **Products**: GNU gzip
- **Versions**: All versions through 1.14
- **Configurations**:
- **CVE-2026-41991**: Specifically affects the `gzexe` utility when the `mktemp` utility is missing from the user's PATH.
- **CVE-2026-41992**: Affects the `gzip -d` (decompression) command when processing multiple files (specifically LZW followed by LZH) in a single execution.
## Vulnerability Description
- **CVE-2026-41991 (Local File Overwrite)**: The `gzexe` utility fails to handle temporary files securely if `mktemp` is unavailable. It defaults to a predictable filename based on the Process ID (PID) without verifying if the file already exists. An attacker can create a symbolic link at the predicted path, causing `gzexe` to overwrite arbitrary files with the victim's privileges (TOCTOU condition).
- **CVE-2026-41992 (Global Buffer Over-read)**: A flaw exists in the `LZH` decompression logic due to the reuse of shared global state. The `LZ77`, `LZW`, and `LZH` routines share a global array that is not reinitialized between files. A specially crafted LZW file can "poison" this state, causing a subsequent LZH file processed in the same session to trigger an out-of-bounds read.
## Exploitation
- **Status**: PoC described; reported via coordinated disclosure (no confirmed "in-the-wild" exploitation mentioned).
- **Complexity**:
- CVE-2026-41991: Medium (Requires local access and specific environment conditions).
- CVE-2026-41992: Medium (Requires delivery of two specially crafted files to be processed together).
- **Attack Vector**:
- CVE-2026-41991: Local
- CVE-2026-41992: Local/Network (via file delivery)
## Impact
- **Confidentiality**: Low to Medium (Possible Information Leak via Buffer Over-read).
- **Integrity**: High (Arbitrary file overwrite via `gzexe`).
- **Availability**: Medium (Potential application crashes).
## Remediation
### Patches
Update GNU gzip to a version newer than 1.14 or apply the following Git commits:
- **CVE-2026-41991**: Fixed in commit `4e6f8b24ab823146ab8776f0b7fe486ab34d4269`
- **CVE-2026-41992**: Fixed in commit `63dbf6b3b9e6e781df1a6a64e609b10e23969681`
### Workarounds
- **For CVE-2026-41991**: Ensure the `mktemp` utility is installed and correctly configured in the system PATH.
- **For CVE-2026-41992**: Avoid decompressing multiple untrusted files in a single `gzip -d` command; process files individually to ensure global state is reset.
## Detection
- **Indicators of Compromise**: Presence of unexpected symbolic links in temporary directories (e.g., `/tmp`) that match `gzexe` naming patterns.
- **Detection Methods**: Security teams should audit scripts that utilize `gzexe` or batch-process gzip files for these specific conditions.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/06/vulnerabilities-in-gzip-software/
- CVE-2026-41991: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-41991
- CVE-2026-41992: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-41992
- GNU gzip Project: hxxps[://]www[.]gnu[.]org/software/gzip/