Skip to content

UID2-6704: Suppress CVE-2026-22184 (zlib untgz) - not exploitable#2426

Merged
swibi-ttd merged 1 commit intomainfrom
swi-UID2-6704-fix-zlib-vulnerability
Mar 9, 2026
Merged

UID2-6704: Suppress CVE-2026-22184 (zlib untgz) - not exploitable#2426
swibi-ttd merged 1 commit intomainfrom
swi-UID2-6704-fix-zlib-vulnerability

Conversation

@swibi-ttd
Copy link
Contributor

@swibi-ttd swibi-ttd commented Mar 9, 2026
edited
Loading

Summary

  • Suppress CVE-2026-22184 in .trivyignore — not exploitable in our context
  • Unblocks the Publish All Operators pipeline

Why suppress instead of fix?

CVE-2026-22184 (CVSS 9.3) is a buffer overflow in zlib's contrib/untgz demo utility, not in the core libz compression library:

  1. Alpine doesn't ship untgz — the zlib package only contains libz.so
  2. The JRE only uses libz — for java.util.zip operations (GZIPInputStream, etc.)
  3. No code path exists — a Java HTTP service cannot trigger the vulnerable untgz binary
  4. The zlib maintainer disputes this CVE — he removed untgz entirely rather than patching it (zlib#1142)

Context

  • CVE: CVE-2026-22184
  • Severity: CRITICAL (CVSS 9.3) — inflated due to theoretical buffer overflow impact
  • Jira: UID2-6704

Test plan

  • Verify Trivy vulnerability scan passes with the suppression
  • Verify build checks pass

🤖 Generated with Claude Code

@swibi-ttd @claude
UID2-6704: Suppress CVE-2026-22184 (zlib untgz) in .trivyignore
23a6263 
The vulnerability is in zlib's contrib/untgz demo utility, not the core
libz library. Alpine does not ship the untgz binary, and the JRE only
uses libz for compression. The zlib maintainer disputes this CVE and
removed the untgz tool entirely. Not exploitable in our context.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@swibi-ttd swibi-ttd force-pushed the swi-UID2-6704-fix-zlib-vulnerability branch from 14c24ed to 23a6263 Compare March 9, 2026 03:38
@swibi-ttd swibi-ttd changed the title UID2-6704: Fix CVE-2026-22184 critical zlib vulnerability UID2-6704: Suppress CVE-2026-22184 (zlib untgz) - not exploitable Mar 9, 2026
@swibi-ttd swibi-ttd merged commit dec077b into main Mar 9, 2026
9 checks passed
@swibi-ttd swibi-ttd deleted the swi-UID2-6704-fix-zlib-vulnerability branch March 9, 2026 04:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cYKatherine cYKatherine cYKatherine approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swibi-ttd @cYKatherine