It was discovered that Gzip's gzexe utility handled temporary files in an insecure manner. When the mktemp utility was not available, gzexe constructed a temporary file path based on the process ID, which could be predicted. A local attacker could possibly use this issue to overwrite arbitrary files via a symlink attack. (CVE-2026-41991) It was discovered that Gzip incorrectly handled certain compressed files. An attacker could possibly use this issue to obtain sensitive information or cause Gzip to crash, resulting in a denial of service. (CVE-2026-41992)
Continue reading...
Continue reading...

