A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-48961

CVE-2026-48961: Perl IO::Compress zipdetails DoS Vulnerability

CVE-2026-48961 is a denial of service flaw in Perl IO::Compress zipdetails CLI tool (versions 2.207-2.219) that crashes when processing Info-ZIP Unix Extra Fields with 8-byte UID or GID values. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: May 28, 2026

CVE-2026-48961 Overview

CVE-2026-48961 affects the zipdetails command-line tool bundled with the Perl IO::Compress distribution, versions 2.207 through 2.219. The flaw is a missing function reference [CWE-755] inside bin/zipdetails. When the tool parses an Info-ZIP Unix Extra Field (tag 0x7875) containing an 8-byte UID or GID value, it calls a misnamed helper unpackValueQ that does not exist. The actual function defined in the file is unpackValue_Q. Perl raises Undefined subroutine &main::unpackValueQ and zipdetails exits with status 255. Library callers of IO::Compress and IO::Uncompress are not affected because the defect lives only in the bundled CLI utility.

Critical Impact

A crafted ZIP archive with an 8-byte UID or GID in the Info-ZIP Unix Extra Field crashes zipdetails during inspection, breaking forensic and automated archive-analysis workflows that depend on the tool.

Affected Products

  • Perl IO::Compress distribution versions 2.207 through 2.219
  • The zipdetails CLI tool shipped under bin/zipdetails
  • Downstream OS packages repackaging affected IO::Compress releases

Discovery Timeline

  • 2026-05-27 - CVE-2026-48961 published to NVD
  • 2026-05-27 - Issue disclosed on the OpenWall oss-security mailing list
  • 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-48961

Vulnerability Analysis

The defect is an unresolved subroutine reference in the zipdetails parser. When decode_ux() in bin/zipdetails processes an Info-ZIP Unix Extra Field (header tag 0x7875), it inspects the UID Size and GID Size bytes. If either size is set to 8, the field carries a 64-bit identifier. Decoding then routes through decodeLitteEndian(), which dispatches to a helper named unpackValueQ.

No such helper exists in the file. The function actually defined is unpackValue_Q, with an underscore separating the suffix. Perl resolves subroutine names at call time, so the typo is not surfaced until an archive with an 8-byte UID or GID is parsed. At that point the interpreter throws Undefined subroutine &main::unpackValueQ and the script terminates with exit code 255. The vulnerability is classified as Improper Check for Unusual or Exceptional Conditions [CWE-755] and results in a denial-of-service condition limited to the CLI utility.

Root Cause

The root cause is a naming inconsistency between caller and callee. decodeLitteEndian() in bin/zipdetails invokes unpackValueQ, but the implementation is named unpackValue_Q. The 4-byte UID/GID path uses a separately named helper and therefore parses correctly. The 8-byte path was never exercised by the test suite, so the typo persisted from release 2.207 through 2.219.

Attack Vector

An attacker supplies a ZIP archive containing an Info-ZIP Unix Extra Field with UID Size or GID Size set to 8. When an analyst or automated pipeline runs zipdetails against the file, the script aborts. The impact is confined to the CLI: library workflows using IO::Compress or IO::Uncompress modules continue to function. There is no code execution or memory corruption. The vulnerability disrupts archive inspection, which can hinder incident response and malware triage when adversaries deliberately craft archives to break analysis tooling.

No verified exploitation code is available. The crash is reproducible by constructing a minimal ZIP entry whose extra-field block carries tag 0x7875 with the UID or GID size byte set to 0x08 and an 8-byte identifier payload, then invoking zipdetails against the file. See the GitHub patch commit for the exact code path.

Detection Methods for CVE-2026-48961

Indicators of Compromise

  • zipdetails process exits with status 255 and emits Undefined subroutine &main::unpackValueQ to standard error
  • ZIP archives containing an Info-ZIP Unix Extra Field (tag 0x7875) where the UID Size or GID Size byte equals 0x08
  • Repeated zipdetails failures in automated archive-analysis or CI pipelines processing untrusted ZIP files

Detection Strategies

  • Inventory hosts running Perl IO::Compress2.207 through 2.219 using package managers (cpan -l, dpkg -l, rpm -qa) and CPAN module version checks
  • Inspect ZIP archives for the 0x7875 extra-field tag and flag entries declaring 8-byte UID or GID sizes prior to invocation of zipdetails
  • Monitor analyst workstations and sandbox runners for zipdetails non-zero exit codes correlated with ZIP file inputs

Monitoring Recommendations

  • Capture stderr from forensic tooling and alert on the literal string Undefined subroutine &main::unpackValueQ
  • Log the version of IO::Compress in use across analysis pipelines and trigger remediation when versions fall in the affected range
  • Track ZIP archive metadata anomalies in upload and email-attachment paths feeding analysis workflows

How to Mitigate CVE-2026-48961

Immediate Actions Required

  • Upgrade IO::Compress to version 2.220 or later from CPAN or the relevant distribution repository
  • Identify all systems running affected versions, including analyst workstations, sandboxes, and CI workers that call zipdetails
  • Wrap zipdetails invocations in automation with error handling so a crash does not silently skip archive inspection

Patch Information

The maintainer fixed the typo in bin/zipdetails by aligning the caller in decodeLitteEndian() with the defined helper unpackValue_Q. The fix is included in IO::Compress2.220. See the GitHub patch commit, the MetaCPAN release changes, and the OpenWall oss-security post for full technical context.

Workarounds

  • Pre-filter ZIP archives and reject or repair entries whose Info-ZIP Unix Extra Field (0x7875) declares an 8-byte UID or GID before passing to zipdetails
  • Use alternative ZIP inspection tools such as unzip -lv or zipinfo until the patched version is deployed
  • Pin Perl environments to IO::Compress2.220 or later in dependency manifests and container base images
bash
# Configuration example
# Upgrade IO::Compress to the patched release
cpan IO::Compress

# Verify the installed version is 2.220 or later
perl -MIO::Compress -e 'print "$IO::Compress::VERSION\n"'

# Confirm the patched helper name is present in bin/zipdetails
grep -n 'unpackValue_Q' "$(which zipdetails)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechPerl
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-755
  • Technical References
  • GitHub Patch Commit
  • MetaCPAN Release Changes
  • OpenWall OSS Security Post
  • Related CVEs
  • CVE-2026-8594: Text::LineFold Perl DOS Vulnerability
  • CVE-2026-48959: Perl IO::Uncompress::Unzip DOS Vulnerability
  • CVE-2025-15649: Perl IO::Uncompress::Unzip DoS Vulnerability
  • CVE-2026-8177: XML::LibXML Perl DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English