CVE-2026-48961 PMQS CVE debrief

Who should care

System administrators and security teams using zipdetails for ZIP archive analysis; Perl developers distributing or packaging IO::Compress; incident responders examining potentially malicious ZIP files that may trigger this crash condition

Technical summary

The zipdetails utility in IO::Compress versions 2.207-2.219 contains a typo in the decode_ux() function where it calls unpackValueQ() instead of the correctly named unpackValue_Q(). When processing a ZIP entry with Info-ZIP Unix Extra Field (0x7875) specifying 8-byte UID or GID sizes, the utility attempts to decode the value using the non-existent function, triggering a Perl runtime error and terminating with status 255. The underlying IO::Compress and IO::Uncompress Perl modules are unaffected; this is strictly a CLI tool defect.

Defensive priority

low

Recommended defensive actions

• Upgrade IO::Compress to version 2.220 or later to obtain the corrected zipdetails utility
• If immediate upgrade is not possible, avoid using zipdetails on untrusted ZIP archives that may contain Info-ZIP Unix Extra Fields with 8-byte UID/GID values
• Note that this defect does not affect programmatic use of IO::Compress or IO::Uncompress modules; only the standalone zipdetails CLI tool is impacted

Evidence notes

The CVE description and NVD source data confirm the defect is isolated to the zipdetails CLI tool, not the underlying IO::Compress/IO::Uncompress libraries. The fix commit corrects the function name from unpackValueQ to unpackValue_Q. The CVSS score and severity are not yet assigned.

Official resources