216.73.217.24

CVE-2026-48961

· Published 27/05/2026 04:16 · Modified 27/05/2026 19:38

Labels: CVE-2026-48961 2026-05-279b29abf9-4ab0-4765-b253-1875cd9b441eCVE-2026-48961CWE-755

Essential information

Published
27/05/2026 04:16
Modified
27/05/2026 19:38
Author
Creator
CISA KEV
No
CWE

Description

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
9b29abf9-4ab0-4765-b253-1875cd9b441e
NVD
View on NVD

Affected products (CPE)

ProductCPE
perl / io compress cpe:2.3:a:perl:io_compress:2.207-*:*:*:*:*:*:*
perl / io compress cpe:2.3:a:perl:io_compress:2.220:*:*:*:*:*:*:*

References