CVE-2026-48961

EUVD-2026-32044
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID.

When decode_ux() in bin/zipdetails handles an Info-ZIP Unix Extra Field (tag 0x7875) with UID Size or GID Size set to 8, causing zipdetails to decode an 8-byte UID or GID value, it dispatches through decodeLitteEndian(), which calls a misnamed helper unpackValueQ. The actual function defined in the same file is unpackValue_Q (with underscore); the call raises 'Undefined subroutine &main::unpackValueQ' and the script exits with status 255.

Library callers of IO::Compress and IO::Uncompress are not affected; the defect is in the bundled CLI tool.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 17%
Debian logo
Debian Releases
Debian Product
Codename
libio-compress-perl
bookworm
2.204-1
fixed
bullseye
2.101-1
fixed
forky
2.223-1
fixed
sid
2.223-1
fixed
trixie
no-dsa
perl
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
5.40.1-8
fixed
sid
5.40.1-8
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libio-compress-perl
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
ignored
resolute
needs-triage
perl
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
ignored
resolute
needs-triage
trusty
needs-triage
xenial
needs-triage
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-IO-Compress
Amazon Linux 2023
0:2.217-1.amzn2023.0.2
fixed
perl-IO-Compress-tests
Amazon Linux 2023
0:2.217-1.amzn2023.0.2
fixed