CVE-2026-48959
Deferred Deferred - Pending Action
CPU Exhaustion in IO::Uncompress::Unzip

Publication date: 2026-05-27

Last updated on: 2026-05-29

Assigner: CPANSec

Description
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-48959
EUVD
EUVD-2026-32043
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pmqs io_uncompress_unzip to 2.220 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in IO::Uncompress::Unzip versions before 2.220 for Perl, where the fastForward() function incorrectly compares the length of the offset (number of digits in the offset) against the chunk size instead of the offset value itself.

This causes the chunk size to shrink from 16 KiB to between 1 and 19 bytes per iteration, leading to a per-byte read loop.

An attacker can exploit this by supplying a specially crafted zip file with a named entry, causing the function to perform a very large number of small reads, resulting in CPU exhaustion.

Impact Analysis

This vulnerability can lead to CPU exhaustion when processing attacker-supplied zip files, causing denial of service conditions.

Systems using vulnerable versions of IO::Uncompress::Unzip may experience degraded performance or become unresponsive when handling malicious zip files.

Detection Guidance

This vulnerability occurs in IO::Uncompress::Unzip versions before 2.220 for Perl, specifically triggered by extracting a named entry from an attacker-supplied zip file using IO::Uncompress::Unzip->new($zip, Name => $target). Detection involves identifying usage of vulnerable versions of the IO::Uncompress::Unzip Perl module.

To detect if your system is vulnerable, check the installed version of the IO::Uncompress::Unzip Perl module.

  • perl -MIO::Uncompress::Unzip -e 'print $IO::Uncompress::Unzip::VERSION . "\n";'

If the version is before 2.220, your system is vulnerable.

Additionally, monitoring for unusually high CPU usage during zip extraction operations involving IO::Uncompress::Unzip may indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update the IO::Uncompress::Unzip Perl module to version 2.220 or later, which contains the fix for this vulnerability.

The fix corrects the fastForward() function to properly compare the offset value instead of its digit length, preventing the CPU exhaustion issue.

  • Update the module via CPAN or your package manager, for example:
  • cpan IO::Uncompress::Unzip
  • or
  • cpanm IO::Uncompress::Unzip

If immediate update is not possible, consider restricting or monitoring usage of IO::Uncompress::Unzip->new() calls with untrusted zip files to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart