{"id":"CVE-2026-48959","summary":"IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward","details":"IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.\n\nfastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.\n\nExtracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip-\u003enew($zip, Name =\u003e $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.","modified":"2026-05-31T03:55:50.103821948Z","published":"2026-05-27T02:29:07.027Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48959.json","cna_assigner":"CPANSec","cwe_ids":["CWE-407"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/27/2"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48959.json"},{"type":"ADVISORY","url":"https://metacpan.org/release/PMQS/IO-Compress-2.220/changes"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48959"},{"type":"FIX","url":"https://github.com/pmqs/IO-Compress/commit/68db44076f4c1a86a2ffe53a958eac6cabaf72e2.patch"},{"type":"PACKAGE","url":"https://github.com/pmqs/IO-Compress"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pmqs/io-compress","events":[{"introduced":"0"},{"fixed":"f1979570091697409f4792e5d401bbf8fb4b20b6"}]}],"versions":["v2.219","v2.218","v2.217","v2.216","v2.215","v2.214","v2.213","v2.212","v2.211","v2.208","v2.207","v2.206","v2-205","v2.204","v2.201","v2.106","v2.105","v2.103","v2.102","v2.101","v2.100","v2.096","v2.095","v2.093","v2.092","v2.091","v2.090","v2.089","v2.088","v2.087","v2.086","v2.084","v2.083","v2.082","v2.081","v2.080","v2.074","v2.073","v2.072","v2.070","v2.069","v2.068","v2.067","v2.066","v2.064","v2.063","v2.062","v2.061","v2.060","v2.059","v2.058","v2.057","v2.055","v2.052","v2.049","v2.048","v2.047","v2.046","v2.045","v2.044","v2.043","v2.042","v2.040","v2.039","v2.037","v2.036","v2.035","v2.034","v2.033","v2.032","v2.030","v2.027","v2.026","v2.025","v2.024","v2.023","v2.022","v2.021","v2.020","v2.019","v2.018","v2.017","v2.015","v2.014","v2.012","v2.011","v2.010","v2.008","v2.007","v2.006","v2.005","v2.004","v2.003","v2.002","v2.001","v2.000_14","v2.000_13","v2.000_12","v2.000_11","v2.000_10","v2.000_09","v2.000_07","v2.000_06","v2.000_05","v2.000_04","v2.000_03","v2.000_02","v2.000_00"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-48959.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}