PT-2026-43166 · Cpan · Archive Tar

Stig Palmquist

·

Published

2026-05-26

·

Updated

2026-06-25

·

CVE-2026-9538

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Archive::Tar versions prior to 3.10
Description Archive::Tar for Perl allows memory exhaustion when processing a tar header with an attacker-controlled entry size field. The read tar() function reads each entry's payload using $handle->read($$data, $block), where the $block variable is derived from the 12-byte size field in the tar header without an upper bound. A crafted header specifying a multi-gigabyte size forces Perl to allocate a scalar of that size, leading to memory exhaustion.
Recommendations Update to version 3.10 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9538
ECHO-E379-3651-BF29

Affected Products

Archive Tar