CVE-2026-9538
EUVD-2026-3177526.05.2026, 02:16
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| archive\ | \ | 𝑥 < 3.10 |
𝑥
= Vulnerable software versions
Debian Releases
Amazon Linux Releases
Common Weakness Enumeration