CVE-2026-48961: CWE-755 Improper Handling of Exceptional Conditions in PMQS IO::Compress
CVE-2026-48961 is a vulnerability in the IO::Compress Perl module versions from 2. 207 before 2. 220. The bundled zipdetails CLI tool crashes due to an undefined subroutine error when processing an Info-ZIP Unix Extra Field containing an 8-byte UID or GID. This occurs because the tool calls a misnamed helper function, causing the script to exit unexpectedly. The vulnerability affects only the CLI tool, not the library functions used by other callers.
AI Analysis
Technical Summary
The IO::Compress Perl module versions 2.207 up to but not including 2.220 include a zipdetails command-line tool that improperly handles exceptional conditions when decoding Info-ZIP Unix Extra Fields with 8-byte UID or GID values. Specifically, the decode_ux() function calls a non-existent helper function unpackValueQ instead of the correctly named unpackValue_Q, resulting in an undefined subroutine error and a crash with exit status 255. This defect is limited to the CLI tool and does not impact library callers of IO::Compress or IO::Uncompress.
Potential Impact
The impact is limited to denial of service of the zipdetails CLI tool when processing specially crafted zip files containing Info-ZIP Unix Extra Fields with 8-byte UID or GID values. There is no indication of code execution or compromise of the IO::Compress library itself. Library users are not affected by this defect.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the zipdetails CLI tool on zip files containing Info-ZIP Unix Extra Fields with 8-byte UID or GID values. Library users of IO::Compress and IO::Uncompress are not affected and do not require mitigation.
CVE-2026-48961: CWE-755 Improper Handling of Exceptional Conditions in PMQS IO::Compress
Description
CVE-2026-48961 is a vulnerability in the IO::Compress Perl module versions from 2. 207 before 2. 220. The bundled zipdetails CLI tool crashes due to an undefined subroutine error when processing an Info-ZIP Unix Extra Field containing an 8-byte UID or GID. This occurs because the tool calls a misnamed helper function, causing the script to exit unexpectedly. The vulnerability affects only the CLI tool, not the library functions used by other callers.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The IO::Compress Perl module versions 2.207 up to but not including 2.220 include a zipdetails command-line tool that improperly handles exceptional conditions when decoding Info-ZIP Unix Extra Fields with 8-byte UID or GID values. Specifically, the decode_ux() function calls a non-existent helper function unpackValueQ instead of the correctly named unpackValue_Q, resulting in an undefined subroutine error and a crash with exit status 255. This defect is limited to the CLI tool and does not impact library callers of IO::Compress or IO::Uncompress.
Potential Impact
The impact is limited to denial of service of the zipdetails CLI tool when processing specially crafted zip files containing Info-ZIP Unix Extra Fields with 8-byte UID or GID values. There is no indication of code execution or compromise of the IO::Compress library itself. Library users are not affected by this defect.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using the zipdetails CLI tool on zip files containing Info-ZIP Unix Extra Fields with 8-byte UID or GID values. Library users of IO::Compress and IO::Uncompress are not affected and do not require mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-26T18:09:32.365Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a16660ce29bf47b50903589
Added to database: 5/27/2026, 3:33:32 AM
Last enriched: 5/27/2026, 3:48:54 AM
Last updated: 5/27/2026, 4:38:30 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.