CVE-2026-48959: CWE-407 Inefficient Algorithmic Complexity in PMQS IO::Uncompress::Unzip
CVE-2026-48959 is a vulnerability in IO::Uncompress::Unzip for Perl versions before 2. 220 that allows CPU exhaustion via an inefficient algorithmic complexity issue. The fastForward() function incorrectly compares the digit count of the offset against the chunk size, causing the chunk size to shrink drastically and resulting in a per-byte read loop. This behavior can be triggered when extracting a named entry from a crafted zip file, potentially causing high CPU usage proportional to the compressed size of the entry, up to 4 GiB. No patch or official remediation has been confirmed yet, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability in IO::Uncompress::Unzip (CVE-2026-48959) arises from an inefficient algorithmic complexity issue (CWE-407) in the fastForward() function. Instead of comparing the offset itself, the function compares the digit count of the offset against the chunk size, causing the chunk size to reduce from 16 KiB to between 1 and 19 bytes per iteration. This leads to a per-byte read loop when extracting a named entry from a zip archive, which can be exploited by an attacker supplying a crafted zip file to cause CPU exhaustion. The impact scales with the compressed size of the entry, up to the 4 GiB limit of non-Zip64 archives. The vulnerability affects versions before 2.220. There is no CVSS score or vendor advisory confirming a patch or mitigation at this time.
Potential Impact
The vulnerability can cause significant CPU resource exhaustion on systems using vulnerable versions of IO::Uncompress::Unzip when processing specially crafted zip files. This may lead to denial of service conditions due to high CPU consumption. There are no known exploits in the wild, and the impact is limited to CPU exhaustion rather than code execution or data corruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid processing untrusted zip files with IO::Uncompress::Unzip versions prior to 2.220. Monitor updates from the vendor PMQS for official patches or mitigations.
CVE-2026-48959: CWE-407 Inefficient Algorithmic Complexity in PMQS IO::Uncompress::Unzip
Description
CVE-2026-48959 is a vulnerability in IO::Uncompress::Unzip for Perl versions before 2. 220 that allows CPU exhaustion via an inefficient algorithmic complexity issue. The fastForward() function incorrectly compares the digit count of the offset against the chunk size, causing the chunk size to shrink drastically and resulting in a per-byte read loop. This behavior can be triggered when extracting a named entry from a crafted zip file, potentially causing high CPU usage proportional to the compressed size of the entry, up to 4 GiB. No patch or official remediation has been confirmed yet, and no known exploits are reported in the wild.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in IO::Uncompress::Unzip (CVE-2026-48959) arises from an inefficient algorithmic complexity issue (CWE-407) in the fastForward() function. Instead of comparing the offset itself, the function compares the digit count of the offset against the chunk size, causing the chunk size to reduce from 16 KiB to between 1 and 19 bytes per iteration. This leads to a per-byte read loop when extracting a named entry from a zip archive, which can be exploited by an attacker supplying a crafted zip file to cause CPU exhaustion. The impact scales with the compressed size of the entry, up to the 4 GiB limit of non-Zip64 archives. The vulnerability affects versions before 2.220. There is no CVSS score or vendor advisory confirming a patch or mitigation at this time.
Potential Impact
The vulnerability can cause significant CPU resource exhaustion on systems using vulnerable versions of IO::Uncompress::Unzip when processing specially crafted zip files. This may lead to denial of service conditions due to high CPU consumption. There are no known exploits in the wild, and the impact is limited to CPU exhaustion rather than code execution or data corruption.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid processing untrusted zip files with IO::Uncompress::Unzip versions prior to 2.220. Monitor updates from the vendor PMQS for official patches or mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-26T18:09:32.365Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16660ce29bf47b50903585
Added to database: 5/27/2026, 3:33:32 AM
Last enriched: 5/27/2026, 3:49:01 AM
Last updated: 5/27/2026, 4:34:17 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.