CVE-2026-22184 Zlib security vulnerability

[raghupcr]

HI Team,

Our Security tool is showing issue in zlib version 1.3.1 which is part of the pyinstaller 6.4.x version.
So is there any plan or release date when pyinstaller will carry new zlib version 1.3.2?

Thanks,
Raghavendra

[rokm]

Our Security tool is showing issue in zlib version 1.3.1 which is part of the pyinstaller 6.4.x version.

This CVE is irrelevant to PyInstaller, as per its own summary (emphasis mine):

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

But I've been meaning to update the bundled zlib sources to 1.3.2 to prevent us from having to deal with these sort of bogus queries/reports...

[raghupcr]

@rokm thanks for your prompt reply, so Pyinstaller is not affected.
But I've been meaning to update the bundled zlib sources to 1.3.2 to prevent us from having to deal with these sort of bogus queries/reports...
---- is there any rough timeline which we can keep in our vulnerability ticket so that we can get some approvals please

[rokm]

---- is there any rough timeline which we can keep in our vulnerability ticket so that we can get some approvals please

Next release might happen mid-March, if enough changes accumulate by then. As far as I'm concerned, the zlib update alone does not warrant new release.

[raghupcr]

@rokm ok got it thanks a lot this helps
Thanks for the immediate reply :)