CVE-2026-9538 BINGOS CVE debrief

Who should care

System administrators running Perl applications that process untrusted tar archives, developers using Archive::Tar in web applications or automated processing pipelines, and security teams monitoring for denial-of-service vectors in archive handling components.

Technical summary

The vulnerability exists in Archive::Tar's _read_tar() function, which reads tar entry payloads by allocating memory based on the size field declared in the tar header. The 12-byte size field is parsed without validation or upper bounds checking. An attacker can craft a malicious tar archive with an artificially inflated size value (multi-gigabyte), causing immediate memory allocation of that size when Perl attempts to create the scalar. This results in memory exhaustion and potential denial of service. The fix in version 3.10 implements proper bounds checking on the size field before memory allocation occurs.

Defensive priority

high

Recommended defensive actions

• Upgrade Archive::Tar to version 3.10 or later to address the memory exhaustion vulnerability.
• Validate tar file headers before processing, implementing size limits on declared entry sizes to prevent excessive memory allocation.
• Monitor systems processing untrusted tar archives for signs of memory exhaustion or denial-of-service conditions.
• Review application code that uses Archive::Tar to ensure proper input validation and resource limits are enforced.

Evidence notes

The vulnerability description is sourced from the official CVE record and NVD entry. The fix is confirmed by the commit patch and version 3.10 changelog on MetaCPAN. The oss-security mailing list post provides additional disclosure context.

Official resources