CVE-2026-27171
Publication date 18 February 2026
Last updated 26 June 2026
Ubuntu priority
Description
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
Read the notes from the security team
Why is this CVE low priority?
Resource consumption via API misuse only
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| zlib | 26.04 LTS resolute |
Vulnerable
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| rsync | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| klibc | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| zsync | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Ignored end of ESM support, was needs-triage |
Notes
mdeslaur
since 3.2.0-1, rsync builds with the system zlib This issue stems from the misuse of an API, no indication that the API is being misused by anything in Ubuntu. This would only result in cpu consumption if it is in fact being misused. Marking this issue as low priority.
pfsmorigo
The vulnerable code was introduced in zlib 1.3.0. rsync from trusty to focal bundle zlib 1.2.8. klibc from trusty to resolute bundle zlib 1.2.3. zsync from trusty to resolute bundle zlib 1.2.1.1.
Severity score breakdown
CVSS version: CVSS v3.0
Base score
2.9 · Low
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L