cve 2026 27171

CVE-2026-27171 is a vulnerability in zlib versions prior to 1.3.2 that can cause unbounded CPU consumption due to a logic error in the CRC combination functions crc32_combine64 and crc32_combine_gen64. The internal helper x2nmodp performs right shifts in a loop that may never terminate, leading to a denial of service. The issue was fixed in zlib 1.3.2, released on February 17, 2026, which adds checks for negative lengths and includes other safety hardening from a public audit. Users should update to zlib 1.3.2 or later to mitigate this vulnerability.