CVE-2026-48961

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.

CVSS v3 7.3 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
http://www.openwall.com/lists/oss-security/2026/05/27/3

Configurations

No configuration.

History

29 May 2026, 16:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.3

27 May 2026, 08:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/05/27/3 -

27 May 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-27 04:16

Updated : 2026-05-29 16:16

NVD link : CVE-2026-48961

Mitre link : CVE-2026-48961

CVE.ORG link : CVE-2026-48961

JSON object : View

Products Affected

No product.

CWE

CWE-755

Improper Handling of Exceptional Conditions

7.3 /10