Upstream information
Description
adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.SUSE information
Overall state of this security issue: Pending
This issue is currently rated as having important severity.
| CVSS detail | CNA (CISA-ADP) | SUSE |
|---|---|---|
| Base Score | 7.5 | 7.5 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | None | None |
| Integrity Impact | None | None |
| Availability Impact | High | High |
| CVSSv3 Version | 3.1 | 3.1 |
| CVSS detail | SUSE |
|---|---|
| Base Score | 8.7 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | None |
| User Interaction | None |
| Vulnerable System Confidentiality Impact | None |
| Vulnerable System Integrity Impact | None |
| Vulnerable System Availability Impact | High |
| Subsequent System Confidentiality Impact | None |
| Subsequent System Integrity Impact | None |
| Subsequent System Availability Impact | None |
| CVSSv4 Version | 4.0 |
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
| Product(s) | Source package | State |
|---|---|---|
| Products under general support and receiving all security fixes. | ||
| SUSE Linux Enterprise Micro 5.3 | cockpit | Affected |
| SUSE Linux Enterprise Micro 5.3 | cockpit-machines | Affected |
| SUSE Linux Enterprise Micro 5.4 | cockpit | Affected |
| SUSE Linux Enterprise Micro 5.4 | cockpit-machines | Affected |
| SUSE Linux Enterprise Micro 5.5 | cockpit | Not affected |
| SUSE Linux Enterprise Micro 5.5 | cockpit-machines | Not affected |
| SUSE Linux Enterprise Server 16.0 | cockpit | Not affected |
| SUSE Linux Enterprise Server 16.0 | cockpit-machines | Not affected |
| SUSE Linux Enterprise Server 16.1 | cockpit | Not affected |
| SUSE Linux Enterprise Server 16.1 | cockpit-machines | Not affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | cockpit | Not affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | cockpit-machines | Not affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | cockpit | Not affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | cockpit-machines | Not affected |
| SUSE Linux Micro 6.0 | cockpit | Not affected |
| SUSE Linux Micro 6.0 | cockpit-machines | Not affected |
| SUSE Linux Micro 6.1 | cockpit | Not affected |
| SUSE Linux Micro 6.1 | cockpit-machines | Not affected |
| SUSE Linux Micro 6.2 | cockpit | Not affected |
| SUSE Linux Micro 6.2 | cockpit-machines | Not affected |
| openSUSE Leap 16.0 | cockpit | Not affected |
| openSUSE Leap 16.0 | cockpit-machines | Not affected |
| Products past their end of life and not receiving proactive updates anymore. | ||
| openSUSE Leap Micro 5.5 | cockpit-machines | Not affected |
SUSE Timeline for this CVE
CVE page created: Mon Jul 13 11:28:54 2026CVE page last modified: Mon Jul 13 11:28:54 2026