Memory Exhaustion Vulnerability in Archive::Tar for Perl
CVE-2026-9538

Currently unrated

Key Information:

Vendor

Bingos

Status
Archive::tar
Vendor
CVE Published:
26 May 2026

What is CVE-2026-9538?

The Archive::Tar module for Perl is vulnerable to a memory exhaustion issue that arises from improper handling of the entry size field in tar headers. Attackers can exploit this vulnerability by crafting headers with excessively large size values, potentially leading to significant memory consumption. The affected function, _read_tar(), lacks proper validation on the size parameter, allowing for the allocation of large scalars based on malicious input. Users should upgrade to Archive::Tar version 3.10 or later to mitigate this risk.

Affected Version(s)

Archive::Tar 0 < 3.10

References

https://github.com/jib/archive-tar-new/commit/f9af0142603...
patch
https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.