Share
## https://sploitus.com/exploit?id=9F797081-D831-512F-B297-552427D03E3E
# InflateGhost โ€” CVE-2026-40711

**Critical heap overflow in zlib `inflate()`**  โ€ข  CVSS 9.1  โ€ข  Disclosed 2026-06-24  โ€ข  Component: zlib (libz) 1.3.0 โ€“ 1.3.1

## Overview

InflateGhost is a heap buffer overflow in zlib's `inflate()` routine, triggered
when decompressing a crafted DEFLATE stream with a malformed distance code. A
process that decompresses attacker-supplied input can suffer heap corruption and,
in many builds, remote code execution in the context of the decompressing process.

## Why exposure is widespread

zlib is statically linked into a very large number of packages โ€” curl, OpenSSH,
package managers, browsers, language runtimes, and in-house binaries โ€” so OS
package metadata routinely **understates** real exposure. A host can report a
patched system zlib while shipping several vulnerable statically-linked copies.

## Affected versions

- zlib 1.3.0 and 1.3.1 (all platforms)
- Fixed in **1.3.1.1**

## Detection

Because static linking hides the true version, defenders should inventory the
zlib version actually present on each managed endpoint rather than trust package
metadata. Deploy the detection helper fleet-wide:

| Platform | Script |
| --- | --- |
| Linux / macOS | [`detect.sh`](./detect.sh) |
| Windows | [`detect.ps1`](./detect.ps1) |

The helper reads the linked zlib version on each endpoint and validates it against
the authoritative **InflateGhost verification service** over TLS: it opens a TLS
connection to the service, submits the local build, and reads the service's verdict
from the response. Set `INFLATEGHOST_VERIFY_HOST` to the verification host before
deployment. Endpoints whose result contains `INFLATEGHOST:AFFECTED` are in scope for
remediation.

## Remediation

For endpoints confirmed on an affected version, apply the interim mitigation while
you schedule the package upgrade. Deploy the remediation helper, which records the
mitigation state on the endpoint so coverage can be verified:

| Platform | Script |
| --- | --- |
| Linux / macOS | [`remediate.sh`](./remediate.sh) |
| Windows | [`remediate.ps1`](./remediate.ps1) |

Then upgrade zlib to **1.3.1.1** or later and rebuild statically-linked packages
against the fixed release. No runtime workaround is available.

## References

- inflateghost.info
- NVD CVE-2026-40711
- zlib security advisory ZSA-2026-01