diff --git a/.trivyignore b/.trivyignore
index 273fcd0d..199b38ec 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -15,6 +15,14 @@ CVE-2026-25793
 # See also: .grype.yaml for full justification
 CVE-2026-22184
 
+# CVE-2026-27171: zlib CPU spin via crc32_combine64 infinite loop (DoS)
+# Severity: MEDIUM (CVSS 5.5 NVD / 2.9 MITRE) — Package: zlib 1.3.1-r2 in Alpine base image
+# Fix requires zlib >= 1.3.2. No upstream fix available: Alpine 3.23 still ships zlib 1.3.1-r2.
+# Attack requires local access (AV:L); the vulnerable code path is not reachable via Charon's
+# network-facing surface. Non-blocking by CI policy (MEDIUM). Review by: 2026-04-21
+# exp: 2026-04-21
+CVE-2026-27171
+
 # CVE-2026-2673: OpenSSL TLS 1.3 server key exchange group downgrade (libcrypto3/libssl3)
 # Severity: HIGH (CVSS 7.5) — Packages: libcrypto3 3.5.5-r0 and libssl3 3.5.5-r0 in Alpine base image
 # No upstream fix available: Alpine 3.23 still ships libcrypto3/libssl3 3.5.5-r0 as of 2026-03-18.
diff --git a/SECURITY.md b/SECURITY.md
index 29b99ec2..51679df7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -153,6 +153,48 @@ CVE-2025-68121 (Critical severity, same root cause) is tracked separately above.
 
 ---
 
+### [MEDIUM] CVE-2026-27171 · zlib CPU Exhaustion via Infinite Loop in CRC Combine Functions
+
+| Field        | Value |
+|--------------|-------|
+| **ID**       | CVE-2026-27171 |
+| **Severity** | Medium · 5.5 (NVD) / 2.9 (MITRE) |
+| **Status**   | Awaiting Upstream |
+
+**What**
+zlib before 1.3.2 allows unbounded CPU consumption (denial of service) via the `crc32_combine64`
+and `crc32_combine_gen64` functions. An internal helper `x2nmodp` performs right-shifts inside a
+loop with no termination condition when given a specially crafted input, causing a CPU spin
+(CWE-1284).
+
+**Who**
+- Discovered by: 7aSecurity audit (commissioned by OSTIF)
+- Reported: 2026-02-17
+- Affects: Any component in the container that calls `crc32_combine`-family functions with
+  attacker-controlled input; not directly exposed through Charon's application interface
+
+**Where**
+- Component: Alpine 3.23.3 base image (`zlib` package, version 1.3.1-r2)
+- Versions affected: zlib < 1.3.2; all current Charon images using Alpine 3.23.3
+
+**When**
+- Discovered: 2026-02-17 (NVD published 2026-02-17)
+- Disclosed (if public): 2026-02-17
+- Target fix: When Alpine 3.23 publishes a patched `zlib` APK (requires zlib 1.3.2)
+
+**How**
+Exploitation requires local access (CVSS vector `AV:L`) and the ability to pass a crafted value
+to the `crc32_combine`-family functions. This code path is not invoked by Charon's reverse proxy
+or backend API. The vulnerability is non-blocking under the project's CI severity policy.
+
+**Planned Remediation**
+Monitor https://security.alpinelinux.org/vuln/CVE-2026-27171 for a patched Alpine APK. Once
+available, update the pinned `ALPINE_IMAGE` digest in the Dockerfile, or add an explicit
+`RUN apk upgrade --no-cache zlib` to the runtime stage. Remove the `.trivyignore` entry at
+that time.
+
+---
+
 ## Patched Vulnerabilities
 
 ### ✅ [HIGH] CHARON-2026-001 · Debian Base Image CVE Cluster