CPU Exhaustion Vulnerability in Perl IO::Uncompress::Unzip Before Version 2.220
CVE-2026-48959

Currently unrated

Key Information:

Vendor

PMQs

Status
Io::uncompress::unzip
Vendor
CVE Published:
27 May 2026

What is CVE-2026-48959?

A vulnerability in versions prior to 2.220 of Perl's IO::Uncompress::Unzip allows for CPU exhaustion through a per-byte read loop initiated when extracting entries from attacker-supplied zip files. The flaw arises in the fastForward() function where the comparison of the offset's digit count against chunk size leads to a significant reduction in processing efficiency. This could potentially enable attackers to consume CPU resources up to the limit of 4 GiB for non-Zip64 entries, affecting system performance.

Affected Version(s)

IO::Uncompress::Unzip 0 < 2.220

References

https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a...
patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.