CVE-2026-48959
CPU Exhaustion in IO::Uncompress::Unzip
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pmqs | io_uncompress_unzip | to 2.220 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in IO::Uncompress::Unzip versions before 2.220 for Perl, where the fastForward() function incorrectly compares the length of the offset (number of digits in the offset) against the chunk size instead of the offset value itself.
This causes the chunk size to shrink from 16 KiB to between 1 and 19 bytes per iteration, leading to a per-byte read loop.
An attacker can exploit this by supplying a specially crafted zip file with a named entry, causing the function to perform a very large number of small reads, resulting in CPU exhaustion.
How can this vulnerability impact me? :
This vulnerability can lead to CPU exhaustion when processing attacker-supplied zip files, causing denial of service conditions.
Systems using vulnerable versions of IO::Uncompress::Unzip may experience degraded performance or become unresponsive when handling malicious zip files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in IO::Uncompress::Unzip versions before 2.220 for Perl, specifically triggered by extracting a named entry from an attacker-supplied zip file using IO::Uncompress::Unzip->new($zip, Name => $target). Detection involves identifying usage of vulnerable versions of the IO::Uncompress::Unzip Perl module.
To detect if your system is vulnerable, check the installed version of the IO::Uncompress::Unzip Perl module.
- perl -MIO::Uncompress::Unzip -e 'print $IO::Uncompress::Unzip::VERSION . "\n";'
If the version is before 2.220, your system is vulnerable.
Additionally, monitoring for unusually high CPU usage during zip extraction operations involving IO::Uncompress::Unzip may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the IO::Uncompress::Unzip Perl module to version 2.220 or later, which contains the fix for this vulnerability.
The fix corrects the fastForward() function to properly compare the offset value instead of its digit length, preventing the CPU exhaustion issue.
- Update the module via CPAN or your package manager, for example:
- cpan IO::Uncompress::Unzip
- or
- cpanm IO::Uncompress::Unzip
If immediate update is not possible, consider restricting or monitoring usage of IO::Uncompress::Unzip->new() calls with untrusted zip files to prevent exploitation.