CVE-2026-48961 - Vulnerability Details

Description

IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.

When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.

Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The bug is located in the IO::Compress zipdetails command line tool, not in the library functions used by application code. When the tool processes an Info‑ZIP Unix Extra Field containing an 8‑byte UID or GID, an undefined subroutine error occurs, causing the program to terminate with exit status 255. The crash does not allow arbitrary code execution, but it does prevent the tool from completing, which can interrupt scripts or user operations relying on zipdetails.

Affected Systems

This issue affects the PMQS IO::Compress Perl module versions 2.207 up to and including 2.219. It specifically impacts the bundled zipdetails command line utility; users of IO::Uncompress or other callers of IO::Compress are not impacted.

Risk and Exploitability

No CVSS score is published for this vulnerability, and EPSS data is unavailable. It has not been listed in CISA's KEV catalog. Because the flaw exists only in the command line tool, an attacker would need to execute zipdetails within the context of a user or application that invokes it. The exposure is local, with a limited scope of potential denial of service. The low availability of exploitation data suggests a low to moderate likelihood of real‑world attacks, but the impact is significant enough that updating the module should be treated as a high‑priority mitigation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PMQS

IO::Compress

unaffected

Version	Status	Constraints
`2.207`	affected	< 2.220

No data.

Vendor Product Confidence Versions

Pmqs

Compress

100%

Version	Status	Scheme	Platform
`[2.207,2.220)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to IO-Compress 2.220 or later.

OpenCVE Recommended Actions

Upgrade IO::Compress to version 2.220 or later.
Avoid using the zipdetails CLI tool while the issue is unresolved, especially in automated scripts.
Monitor for crash logs and ensure that any critical scripts are updated to use newer zipdetails or an alternative implementation.

Generated by OpenCVE AI on May 27, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/27/3
https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch
https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

History

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pmqs Pmqs compress
Vendors & Products		Pmqs Pmqs compress

Wed, 27 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/27/3

Wed, 27 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID. When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
Title		IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID
Weaknesses		CWE-755
References		https://github.com/pmqs/IO-Compress/commit/33c89d03d6e746ed2ead4f2f6570d47864c61bc7.patch https://metacpan.org/release/PMQS/IO-Compress-2.220/changes

Subscriptions

Pmqs Compress

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-27T02:34:52.228Z

Updated: 2026-05-27T07:24:57.566Z

Reserved: 2026-05-26T18:09:32.365Z

Link: CVE-2026-48961

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T04:16:31.210

Modified: 2026-05-27T08:16:44.077

Link: CVE-2026-48961

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T10:07:57Z

Weaknesses

CWE-755

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object