CVE-2026-9538PATCHED

perl · archive::tar

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header

Description

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.

Affected Products

Vendor	Product	Versions
perl	archive::tar	0

References

Related News (3 articles)

Tier A

Microsoft MSRC30d ago

CVE-2026-9538 Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header

→ No new info (linked only)

Tier C

VulDB34d ago

CVE-2026-9538 | BINGOS Archive::Tar up to 3.9 on Perl Header _read_tar memory allocation

→ No new info (linked only)

Tier C

oss-security34d ago

CVE-2026-9538: Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited❌ No

Patch available

3.10

CWECWE-789

PublishedMay 26, 2026

Last enriched34d agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-11625EXP

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes

Trending: 46

HIGHCVE-2026-48962EXP

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

Trending: 45

HIGHCVE-2026-12844EXP

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function

Trending: 40

NONECVE-2026-12087EXP

Socket versions before 2.041 for Perl have an out-of-bounds heap read

Trending: 15

NONECVE-2026-9698EXP

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

Trending: 5

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 26, 2026

Discovered by ZDM

May 26, 2026

Updated: affectedVersions, cvssEstimate, mitreAttack, tags

May 26, 2026

Updated: description, affectedVersions, severity

May 26, 2026

Patch Available

May 28, 2026

Version History

Last enriched 34d ago

v3Tier C34d ago

Updated description with more technical detail, changed affected versions to include 3.9, updated severity to HIGH, and noted that there is no available exploit.

descriptionaffectedVersionsseverity

via VulDB

v2Tier C34d ago

Updated description, vendor to CPAN Security Group, product to Archive-Tar, affected versions to 'before 3.10', severity to HIGH, CVSS estimate to 7.5, CWE to CWE-789, exploitAvailable to true, added MITRE ATT&CK technique T1595.002, and tags 'memory exhaustion' and 'denial of service'.

affectedVersionscvssEstimatemitreAttacktags

via oss-security

v134d ago

Initial creation