Description
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.

_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.

A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Perl module Archive::Tar allows a crafted tar header that declares an excessively large entry size to cause the program to allocate a scalar of that size. As a result, the application can exhaust system memory, leading to a denial of service. The weakness is identified as CWE‑789 (Uncontrolled Memory Allocation).

Affected Systems

All installations of BINGOS Archive::Tar older than version 3.10 are affected. The vulnerability exists in all prior releases, regardless of minor sub‑version. Upgrading to 3.10 or later removes the unchecked size handling. Organizations using this module should audit their Perl environments for the presence of older versions.

Risk and Exploitability

The CVSS score is 7.5, and the EPSS score is < 1%, indicating a medium severity and a low probability of exploitation. However, the issue can be triggered by any attacker who can supply a malicious tar file to a process that uses Archive::Tar for extraction. Because the flaw involves unbounded allocation based solely on header data, it is likely to be exploitable in any context where tar extraction is performed on untrusted input. The vulnerability is listed in CISA KEV as not present, indicating no known active exploitation at this time.

Generated by OpenCVE AI on May 27, 2026 at 20:54 UTC.

Remediation

Vendor Solution

Upgrade to Archive::Tar 3.10 or later.

OpenCVE Recommended Actions

  • Upgrade to Archive::Tar 3.10 or later.
  • Ensure the updated module is loaded in all Perl applications that perform tar extraction.
  • Add runtime checks or sandbox mechanisms to limit memory usage when processing tar archives from untrusted sources.

Generated by OpenCVE AI on May 27, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Archive\
Archive\ \
CPEs cpe:2.3:a:archive\:\:tar_project:archive\:\:tar:*:*:*:*:*:perl:*:*
Vendors & Products Archive\
Archive\ \
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bingos
Bingos archive::tar
Vendors & Products Bingos
Bingos archive::tar

Tue, 26 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
Title Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header
Weaknesses CWE-789
References

Subscriptions

Archive\ \
Bingos Archive::tar
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-28T13:16:08.447Z

Reserved: 2026-05-25T23:04:04.116Z

Link: CVE-2026-9538

cve-icon Vulnrichment

Updated: 2026-05-28T13:15:58.771Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T02:16:41.150

Modified: 2026-05-28T14:16:26.020

Link: CVE-2026-9538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses
  • CWE-789

    Memory Allocation with Excessive Size Value