Description
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.

_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.

A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
Published: 2026-05-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Perl module Archive::Tar allows a crafted tar header that declares an excessively large entry size to cause the program to allocate a scalar of that size. As a result, the application can exhaust system memory, leading to a denial of service. The weakness is identified as CWE‑789 (Uncontrolled Memory Allocation).

Affected Systems

All installations of BINGOS Archive::Tar older than version 3.10 are affected. The vulnerability exists in all prior releases, regardless of minor sub‑version. Upgrading to 3.10 or later removes the unchecked size handling. Organizations using this module should audit their Perl environments for the presence of older versions.

Risk and Exploitability

No public exploit or CVSS score is listed, and the EPSS score is not available, so the exact likelihood is unknown. However, the issue can be triggered by any attacker who can supply a malicious tar file to a process that uses Archive::Tar for extraction. Because the flaw involves unbounded allocation based solely on header data, it is likely to be exploitable in any context where tar extraction is performed on untrusted input. The vulnerability is listed in CISA KEV as not present, indicating no known active exploitation at this time.

Generated by OpenCVE AI on May 26, 2026 at 02:21 UTC.

Remediation

Vendor Solution

Upgrade to Archive::Tar 3.10 or later.

OpenCVE Recommended Actions

  • Upgrade to Archive::Tar 3.10 or later.
  • Ensure the updated module is loaded in all Perl applications that perform tar extraction.
  • Add runtime checks or sandbox mechanisms to limit memory usage when processing tar archives from untrusted sources.

Generated by OpenCVE AI on May 26, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bingos
Bingos archive::tar
Vendors & Products Bingos
Bingos archive::tar

Tue, 26 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
Title Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header
Weaknesses CWE-789
References

Subscriptions

Bingos Archive::tar
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-26T03:06:03.290Z

Reserved: 2026-05-25T23:04:04.116Z

Link: CVE-2026-9538

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T02:16:41.150

Modified: 2026-05-26T04:16:27.987

Link: CVE-2026-9538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T12:59:45Z

Weaknesses