Merge pull request #2426 from IABTechLab/swi-UID2-6704-fix-zlib-vulnerability

swibi-ttd · web-flow · commit dec077be906f · 2026-03-09T15:13:44.000+11:00
UID2-6704: Suppress CVE-2026-22184 (zlib untgz) - not exploitable
diff --git a/.trivyignore b/.trivyignore
@@ -18,4 +18,9 @@ GHSA-72hv-8253-57qq exp:2026-09-01
 
 # libpng heap buffer overflow in Alpine base image - fixed version not yet available in Alpine 3.23
 # See: UID2-6677
-CVE-2026-25646 exp:2026-09-02
+CVE-2026-25646 exp:2026-09-02
+
+# zlib contrib/untgz demo utility buffer overflow - not exploitable, Alpine does not ship the untgz binary
+# and the core libz library used by the JRE is unaffected. The zlib maintainer disputes this CVE.
+# See: UID2-6704
+CVE-2026-22184 exp:2026-09-09
