CVE-2006-4338
CVE-2006-4338 is a medium-severity vulnerability in Gzip with a CVSS 2.0 base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 2.0 base score 5.0)
- EPSS exploit prediction: 4% (88th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Gzip
- Published:
- Last modified:
Description
unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted GZIP archive.
Frequently asked questions
- What is CVE-2006-4338?
- unlzh.c in the LHZ component in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted GZIP archive.
- How severe is CVE-2006-4338?
- CVE-2006-4338 has a CVSS 2.0 base score of 5.0, rated medium severity.
- Is CVE-2006-4338 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (88th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2006-4338?
- CVE-2006-4338 affects Gzip. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2006-4338?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2006-4338 published?
- CVE-2006-4338 was published on 2006-09-19 and last updated on 2026-06-16.
References
- ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc
- http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=204676
- http://docs.info.apple.com/article.html?artnum=304829
- http://lists.apple.com/archives/security-announce/2006/Nov/msg00001.html
- http://secunia.com/advisories/21996
- http://secunia.com/advisories/22002
- http://secunia.com/advisories/22009
- http://secunia.com/advisories/22012
- http://secunia.com/advisories/22017
- http://secunia.com/advisories/22027
- http://secunia.com/advisories/22033
- http://secunia.com/advisories/22034
- http://secunia.com/advisories/22043
- http://secunia.com/advisories/22085
- http://secunia.com/advisories/22101
- http://secunia.com/advisories/22435
- http://secunia.com/advisories/22487
- http://secunia.com/advisories/22661
- http://secunia.com/advisories/23153
- http://secunia.com/advisories/23155
- http://secunia.com/advisories/23156
- http://secunia.com/advisories/23679
- http://secunia.com/advisories/24435
- http://secunia.com/advisories/24636
- http://security.freebsd.org/advisories/FreeBSD-SA-06:21.gzip.asc
- http://security.gentoo.org/glsa/glsa-200609-13.xml
- http://securitytracker.com/id?1016883
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.555852
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-102766-1
- http://support.avaya.com/elmodocs2/security/ASA-2006-218.htm
Affected products (1)
- cpe:2.3:a:gzip:gzip:1.3.5:*:*:*:*:*:*:*
More vulnerabilities in Gzip
- CVE-2006-4336 — High (CVSS 7.5): Buffer underflow in the build_tree function in unpack.c in gzip 1.3.5 allows context-dependent attackers to execute…
- CVE-2006-4337 — High (CVSS 7.5): Buffer overflow in the make_table function in the LHZ component in gzip 1.3.5 allows context-dependent attackers to…
- CVE-2006-4335 — High (CVSS 7.5): Array index error in the make_table function in unlzh.c in the LZH decompression component in gzip 1.3.5, when running…
- CVE-2006-4334 — Medium (CVSS 5.0): Unspecified vulnerability in gzip 1.3.5 allows context-dependent attackers to cause a denial of service (crash) via a…