PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48959 PMQS CVE debrief

IO::Uncompress::Unzip versions before 2.220 contain a logic error in the fastForward() function that enables CPU exhaustion attacks. The vulnerability stems from an incorrect comparison where the digit count of an offset value (1-19 characters) is compared against chunk size rather than the actual offset value. This causes the chunk size to shrink dramatically from 16 KiB to 1-19 bytes per iteration, creating a per-byte read loop when extracting named entries from attacker-supplied ZIP archives. The attack scales with the compressed entry size up to the non-Zip64 4 GiB limit, allowing remote attackers to cause denial of service through CPU resource exhaustion. The issue was addressed in IO-Compress version 2.220.

Vendor
PMQS
Product
IO::Uncompress::Unzip
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Perl applications that process untrusted ZIP archives using IO::Uncompress::Unzip, particularly those extracting specific named entries. This includes web applications with file upload functionality, email processing systems, document management platforms, and automated data ingestion pipelines. System administrators and DevOps teams managing Perl-based infrastructure should prioritize this update.

Technical summary

The fastForward() function in IO::Uncompress::Unzip contains a logic error where strlen($offset) — the number of digits in the offset string (1-19) — is compared against chunk size $c instead of the numeric value of $offset. This causes $c to be set to 1-19 bytes rather than the intended minimum of offset value or 16 KiB. When extracting a named entry via IO::Uncompress::Unzip->new($zip, Name => $target), the function enters a per-byte read loop whose iteration count scales with the compressed entry size, up to approximately 4 GiB iterations for maximum-size non-Zip64 entries. The vulnerability allows unauthenticated remote attackers to cause CPU exhaustion and denial of service by supplying crafted ZIP archives.

Defensive priority

high

Recommended defensive actions

  • Upgrade IO::Compress to version 2.220 or later to obtain the corrected fastForward() implementation
  • Validate ZIP archive sources before processing with IO::Uncompress::Unzip, particularly for untrusted user uploads
  • Implement resource limits and timeouts on ZIP extraction operations to mitigate potential denial of service
  • Monitor for anomalous CPU usage patterns in applications processing ZIP archives
  • Review application code using IO::Uncompress::Unzip with the Name parameter for extraction of specific entries

Evidence notes

Vulnerability description confirms logic error in fastForward() comparing length of $offset digits against chunk size $c rather than $offset itself. Patch commit and changelog from official IO-Compress repository confirm fix in version 2.220. CWE-407 (Inefficient Algorithmic Complexity) classification aligns with per-byte read loop behavior.

Official resources

2026-05-27