Fluid Attacks Database

Description

IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward. fastForward() compares length $offset (the digit count of the offset, 1 to 19) against the chunk size $c instead of $offset itself, so $c shrinks from 16 KiB to 1-19 bytes per iteration. Extracting a named entry from an attacker supplied zip via IO::Uncompress::Unzip->new($zip, Name => $target) drives a per-byte read loop scaling with the entry's compressed size, up to the non-Zip64 4 GiB cap.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	libio-compress-perl	=2.101-1 \|\| =2.102-1 \|\| =2.103-1 \|\| =2.104-1 \|\| =2.105-1 \|\| =2.201-1 \|\| =2.201-2 \|\| =2.204-1 \|\| =2.206-1 \|\| =2.207-1 \|\| =2.208-1 \|\| =2.211-1 \|\| =2.212-1 \|\| =2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 12	libio-compress-perl	=2.204-1 \|\| =2.206-1 \|\| =2.207-1 \|\| =2.208-1 \|\| =2.211-1 \|\| =2.212-1 \|\| =2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 11	perl	=5.32.1-4 \|\| =5.32.1-4+deb11u1 \|\| =5.32.1-4+deb11u2 \|\| =5.32.1-4+deb11u3 \|\| =5.32.1-4+deb11u4 \|\| =5.32.1-4+deb11u5 \|\| =5.32.1-5 \|\| =5.32.1-6 \|\| =5.34.0-1 \|\| =5.34.0-2 \|\| =5.34.0-3 \|\| =5.34.0-4 \|\| =5.34.0-5 \|\| =5.34.0~rc2-1 \|\| =5.36.0-1 \|\| =5.36.0-10 \|\| =5.36.0-2 \|\| =5.36.0-3 \|\| =5.36.0-4 \|\| =5.36.0-5 \|\| =5.36.0-6 \|\| =5.36.0-7 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 12	perl	=5.36.0-10 \|\| =5.36.0-7 \|\| =5.36.0-7+deb12u1 \|\| =5.36.0-7+deb12u2 \|\| =5.36.0-7+deb12u3 \|\| =5.36.0-8 \|\| =5.36.0-9 \|\| =5.38.0-1 \|\| =5.38.0-2 \|\| =5.38.0~rc2-1 \|\| =5.38.2-1 \|\| =5.38.2-2 \|\| =5.38.2-3 \|\| =5.38.2-3.1 \|\| =5.38.2-3.2 \|\| =5.38.2-3.2+hurd.1 \|\| =5.38.2-4 \|\| =5.38.2-5 \|\| =5.40.0-1 \|\| =5.40.0-2 \|\| =5.40.0-3 \|\| =5.40.0-4 \|\| =5.40.0-5 \|\| =5.40.0-6 \|\| =5.40.0-7 \|\| =5.40.0-8 \|\| =5.40.0~rc1-1 \|\| =5.40.1-1 \|\| =5.40.1-2 \|\| =5.40.1-3 \|\| =5.40.1-4 \|\| =5.40.1-5 \|\| =5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 14	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-
debian 14	libio-compress-perl	=2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| >=0 <2.220-1	2.220-1
debian 13	libio-compress-perl	=2.213-1 \|\| =2.214-1 \|\| =2.217-1 \|\| =2.219-1 \|\| =2.219-2 \|\| =2.220-1	-
debian 13	perl	=5.40.1-6 \|\| =5.40.1-7 \|\| =5.42.0-1 \|\| =5.42.0-2 \|\| =5.42.0-3 \|\| =5.42.2-1	-

Aliases

1. CVE-2026-489592. NVD-2026-489593. OSV-DEBIAN-2026-489594. OSV-2026-489595. SECURITY-TRACKER-CVE-2026-48959

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.