Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward.
fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration.
Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.
AnalysisAI
Denial of service in the Perl module IO::Uncompress::Unzip before version 2.220 allows remote attackers to cause CPU exhaustion by supplying a crafted ZIP archive that triggers a per-byte read loop in the fastForward() routine. No public exploit identified at time of analysis, and EPSS rates exploitation probability at 0.02%, but any application that accepts untrusted ZIP files and extracts a named entry through this module is exposed to availability impact.
Technical ContextAI
IO::Uncompress::Unzip is a pure-Perl CPAN module (distributed in the IO-Compress distribution by Paul Marquess) used widely by Perl applications to read ZIP archives without shelling out to unzip. The root cause maps to CWE-407 (Inefficient Algorithmic Complexity): in fastForward(), the code intended to limit a read chunk size $c to the remaining offset, but mistakenly compared length $offset (the number of digits in the offset value, between 1 and 19) against $c, rather than $offset itself. The patch (commit 68db4407) changes the comparison to use $offset directly. Because the original 16 KiB chunk size collapses to 1-19 bytes per iteration, traversing the non-Zip64 4 GiB maximum compressed-entry size devolves into hundreds of millions of tiny read operations, burning CPU on what should be a fast seek.
RemediationAI
Upgrade the IO-Compress distribution to version 2.220 or later from CPAN (the vendor-released patch is shipped in 2.220 per https://metacpan.org/release/PMQS/IO-Compress-2.220/changes, and the source fix is commit 68db44076f4c1a86a2ffe53a958eac6cabaf72e2). Where immediate upgrade is not possible, compensating controls include rejecting or sandboxing untrusted ZIP archives, enforcing strict size caps on uploaded compressed entries well below the 4 GiB non-Zip64 limit, and wrapping IO::Uncompress::Unzip->new(..., Name => ...) calls with a Perl alarm()/SIGALRM CPU timeout - note that hard CPU timeouts will also abort large legitimate archives, so tune to expected workloads. Distribution package maintainers should pull in the upstream fix and republish; reference advisory disclosure was posted to oss-security at http://www.openwall.com/lists/oss-security/2026/05/27/2.
sbt is a build tool for Scala, Java, and others. Rated high severity (CVSS 7.1), this vulnerability is no authentication
Denial of service in the zipdetails CLI tool bundled with Perl's IO::Compress versions 2.207 through 2.219 causes the sc
Uncaught exception in IO::Uncompress::Unzip before version 2.215 for Perl causes application-level denial of service whe
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32043
GHSA-7vxx-5gqr-7r44