CVE-2026-9538

EUVD-2026-31775
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.

_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.

A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
Affected Products (NVD)
VendorProductVersion
archive\\
𝑥
< 3.10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
perl
bookworm
postponed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
postponed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
perl-Archive-Tar
Amazon Linux 2
0:1.92-3.amzn2.0.2
fixed
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed
perl-Archive-Tar-tests
Amazon Linux 2023
0:3.04-522.amzn2023.0.3
fixed