CVE-2026-24811
Published: 01/27/2026 09:15:51
Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C.
This issue affects root.
Unknown
CVSS v2:
CVSS v2:
Status
| DocFilters Release | Package | State | Justification | Comment |
|---|---|---|---|---|
| 0.0.0.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 25.4 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 25.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 25.2 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 25.1.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 25.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.4 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.4.0 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.2.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.2 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 24.1 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 23.3 | zlib (1.3) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 23.2.1 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 23.2 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 23.1 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 22.4 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 22.3 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 22.2 | zlib (1.2.12) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 22.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.11.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.11 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.8.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.8 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.5.1 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.5.0 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 21.2.0 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.20 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.19.3667 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.18.3599 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.17 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.16.3445 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.15.3368 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.14.3263 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.13.3179 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.12.3054 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.11.3040 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.11.2990 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.10.2934 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.9.2878 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |
| 11.4.8.2822 | zlib (1.2.11) | Not Affected | Code Not Present | CVE-2026-24811 affects the root-project’s cloned/bundled copy of zlib that did not receive the upstream fix from CVE-2016-9841. The underlying vulnerability was improper pointer arithmetic in inffast.c using PUP() macros and OFF offset calculations. This was fixed in upstream zlib 1.2.9 (September 2016) via commit 9aaec95e82117c1cb0f9624264c3618fc380cecb. Document Filters uses zlib 1.3 (released August 2023), which uses the patched post-increment pointer arithmetic (*in++, *out++) instead of the vulnerable PUP() macro pattern. All inffast.c files in our source tree (zlib-1.3, freetype-2.13.3, openjpeg-2.5.3) contain the fixed code. |