PT-2026-43486 · Cpan · Io::Uncompress::Unzip

Stig Palmquist

·

Published

2026-05-27

·

Updated

2026-06-25

·

CVE-2026-48959

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions IO::Uncompress::Unzip versions prior to 2.220
Description An issue in the fastForward() function allows CPU exhaustion. The function compares the length of the $offset variable (the digit count of the offset, ranging from 1 to 19) against the chunk size $c instead of comparing the $offset value itself. This causes the chunk size $c to shrink from 16 KiB to between 1 and 19 bytes per iteration. An attacker can trigger a per-byte read loop that scales with the compressed size of an entry, up to the 4 GiB non-Zip64 limit, by extracting a named entry from a malicious zip file using IO::Uncompress::Unzip->new($zip, Name => $target).
Recommendations Update to version 2.220 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-48959
ECHO-C2DC-1C4D-E477

Affected Products

Io::Uncompress::Unzip