CVE-2026-22184: Critical zlib vulnerability affecting OpenCost UI images

Describe the bug
A critical CVE affecting zlib (CVE-2026-22184) was detected in multiple OpenCost UI container images. The vulnerability is a global buffer overflow in the untgz utility (TGZfname() function) that allows an attacker to provide an archive name longer than 1024 bytes, potentially leading to memory corruption, denial of service, or arbitrary code execution.

Affected images observed in our environment include:

ghcr.io/opencost/opencost-ui:1.119.1

ghcr.io/opencost/opencost-ui:1.119.2

ghcr.io/opencost/opencost:1.119.2

<img width="1352" height="505" alt="Image" src="https://github.com/user-attachments/assets/8e3c0ed0-b1b4-4a41-a8c5-2f0238875e9b" />

Expected behavior
OpenCost UI images should not contain critical CVEs in base libraries like zlib. Updated images should be published with the vulnerability patched.

Screenshots
Attached screenshot showing affected images and CVE status.

Which version of OpenCost are you using?
1.119.1 / 1.119.2 (as per container image tags in our environment)

Additional context

Kubernetes cluster: OpenShift

References

[CVE-2026-22184](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22184)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2026-22184: Critical zlib vulnerability affecting OpenCost UI images #224

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2026-22184: Critical zlib vulnerability affecting OpenCost UI images #224

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions