Description
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.

When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.

Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Published: 2026-05-27
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug is located in the IO::Compress zipdetails command line tool, not in the library functions used by application code. When the tool processes an Info‑ZIP Unix Extra Field containing an 8‑byte UID or GID, an undefined subroutine error occurs, causing the program to terminate with exit status 255. The crash does not allow arbitrary code execution, but it does prevent the tool from completing, which can interrupt scripts or user operations relying on zipdetails.

Affected Systems

This issue affects the PMQS IO::Compress Perl module versions 2.207 up to and including 2.219. It specifically impacts the bundled zipdetails command line utility; users of IO::Uncompress or other callers of IO::Compress are not impacted.

Risk and Exploitability

Based on the description, it is inferred that the flaw exists only in the command line tool, so an attacker would need to execute zipdetails within the context of a user or application that invokes it. The exposure is local, with a limited scope of potential denial of service. The EPSS score of < 1% indicates that the probability of exploitation is very low; combined with the lack of real‑world reports, the risk remains moderate. Nonetheless, the impact of a crash warrants prompt patching, and the issue should be considered a high‑priority mitigation.

Generated by OpenCVE AI on May 29, 2026 at 18:44 UTC.

Remediation

Vendor Solution

Upgrade to IO-Compress 2.220 or later.

OpenCVE Recommended Actions

  • Upgrade IO::Compress to version 2.220 or later.
  • Avoid using the zipdetails CLI tool while the issue is unresolved, especially in automated scripts.
  • Monitor for crash logs and ensure that any critical scripts are updated to use newer zipdetails or an alternative implementation.

Generated by OpenCVE AI on May 29, 2026 at 18:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Pmqs
Pmqs compress
Vendors & Products Pmqs
Pmqs compress

Wed, 27 May 2026 08:30:00 +0000

Type Values Removed Values Added
References

Wed, 27 May 2026 03:30:00 +0000

Type Values Removed Values Added
Description IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Title IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID
Weaknesses CWE-755
References

Subscriptions

Pmqs Compress
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-29T15:52:06.965Z

Reserved: 2026-05-26T18:09:32.365Z

Link: CVE-2026-48961

cve-icon Vulnrichment

Updated: 2026-05-27T07:24:57.566Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T04:16:31.210

Modified: 2026-05-29T16:16:31.820

Link: CVE-2026-48961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:45:05Z

Weaknesses
  • CWE-755

    Improper Handling of Exceptional Conditions