CVE-2026-48961
7.3 HIGHIO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix...
Published: 2026-05-27 · Last updated: 2026-05-29
Severity and scoring
- CVSS
- 7.3 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- CWE
- CWE-755
Description
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-44505 — Nimiq is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm (5.3 MEDIUM)
- CVE-2023-43686 — An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later) (6.2 MEDIUM)
- CVE-2026-49235 — When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes (7.5 HIGH)
- CVE-2026-49232 — Routinator exits on any error when accepting incoming HTTP or RTR connections, including ones it can recover from such as running out of ...
- CVE-2026-9516 — Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws (7.5 HIGH)