CVE-2026-48961
Essential information
- Published
- 27/05/2026 04:16
- Modified
- 27/05/2026 19:38
- Author
- —
- Creator
- —
- CISA KEV
- No
- CWE
- —
- CVSS vector
- — — —
Description
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.
When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.
Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
NVD status
- Status
- Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- 9b29abf9-4ab0-4765-b253-1875cd9b441e
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| perl / io compress | cpe:2.3:a:perl:io_compress:2.207-*:*:*:*:*:*:* |
| perl / io compress | cpe:2.3:a:perl:io_compress:2.220:*:*:*:*:*:*:* |