CVE-2026-48959

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward

Assigner: CPANSec
Reserved: 26.05.2026 Published: 27.05.2026 Updated: 27.05.2026

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.

fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.

Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

Product Status

Vendor	PMQS
Product	IO::Uncompress::Unzip
Versions	Default: unaffected affected from 0 to 2.220 (excl.)

Vendor

PMQS

Product

IO::Uncompress::Unzip

Versions

Default: unaffected

affected from 0 to 2.220 (excl.)

Solutions

Upgrade to IO-Compress 2.220 or later.

References

Problem Types

CWE-407 Inefficient Algorithmic Complexity CWE

CVE-2026-48959 PUBLISHED

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward

Product Status

Solutions

References

Problem Types