CVE-2026-9538
Description
Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.
_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.
A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Archive::Tar before 3.10 for Perl allows memory exhaustion via attacker-controlled size field in tar header, leading to allocation of multi-gigabyte scalars.
Vulnerability
The _read_tar() function in Archive::Tar versions before 3.10 reads each tar entry's payload using $handle->read($$data, $block), where $block is derived directly from the entry's 12-byte size field in the tar header with no upper bound. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size, leading to memory exhaustion [1][2].
Exploitation
An attacker can craft a tar archive with a malicious entry that declares an extremely large size (e.g., 100 GB). The victim only needs to process the archive (e.g., via extract() or reading), and the memory allocation occurs during the read step before any extraction or validation [2][3]. No special privileges or authentication are required.
Impact
Successful exploitation leads to memory exhaustion, causing the Perl process to allocate a huge scalar, potentially crashing or being killed by the system. This results in a denial of service (DoS). No code execution or information disclosure is achieved [2].
Mitigation
The vulnerability is fixed in version 3.10 of Archive::Tar, which introduces the $MAX_FILE_SIZE setting (defaulting to 1 GB) that caps the allowed entry size during read [1][3]. Users should upgrade to 3.10 or later. If upgrading is not possible, workarounds include setting $Archive::Tar::MAX_FILE_SIZE to a safe value (e.g., 1 GB) or not processing untrusted tar archives [3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.10
Patches
1f9af01426038Cpan entry size during read
1 file changed · +17 −1
lib/Archive/Tar.pm+17 −1 modified@@ -24,7 +24,7 @@ use strict; use vars qw[$DEBUG $error $VERSION $WARN $FOLLOW_SYMLINK $CHOWN $CHMOD $DO_NOT_USE_PREFIX $HAS_PERLIO $HAS_IO_STRING $SAME_PERMISSIONS $INSECURE_EXTRACT_MODE $ZERO_PAD_NUMBERS @ISA @EXPORT $RESOLVE_SYMLINK - $EXTRACT_BLOCK_SIZE $EXTRACT_HARDLINK + $EXTRACT_BLOCK_SIZE $EXTRACT_HARDLINK $MAX_FILE_SIZE ]; @ISA = qw[Exporter]; @@ -42,6 +42,7 @@ $ZERO_PAD_NUMBERS = 0; $RESOLVE_SYMLINK = $ENV{'PERL5_AT_RESOLVE_SYMLINK'} || 'speed'; $EXTRACT_BLOCK_SIZE = 1024 * 1024 * 1024; $EXTRACT_HARDLINK = 0; +$MAX_FILE_SIZE = 1024 * 1024 * 1024; BEGIN { use Config; @@ -445,6 +446,14 @@ sub _read_tar { my $block = BLOCK_SIZE->( $entry->size ); + if ( $MAX_FILE_SIZE && $entry->size > $MAX_FILE_SIZE ) { + $self->_error( qq[Entry '] . $entry->full_path . + qq[' declared size ] . $entry->size . + qq[ bytes exceeds \$Archive::Tar::MAX_FILE_SIZE ] . + qq[($MAX_FILE_SIZE); refusing to allocate] ); + next LOOP; + } + $data = $entry->get_content_by_ref; my $skip = 0; @@ -2224,6 +2233,13 @@ cannot be arbitrarily large since some operating systems limit the number of bytes that can be written in one call to C<write(2)>, so if this is too large, extraction may fail with an error. +=head2 $Archive::Tar::MAX_FILE_SIZE + +This variable holds an upper bound on the per-entry declared size that +C<Archive::Tar> will accept when reading an archive. Entries whose header +claims a larger size are refused with an error before any read allocation. +Defaults to 1 GiB. Set to 0 to disable the cap. + =cut =head1 FAQ
Vulnerability mechanics
Root cause
"Missing upper-bound check on the attacker-controlled tar header size field allows allocation of arbitrarily large Perl scalars, leading to memory exhaustion."
Attack vector
An attacker crafts a tar archive whose header contains a 12-byte size field declaring an extremely large value (e.g., 100 GB) for an inner entry. When `Archive::Tar` processes this entry via `_read_tar()`, it computes `$block` from the attacker-controlled size and allocates a Perl scalar of that size, causing immediate memory exhaustion [ref_id=1]. The attack requires no special privileges — the victim only needs to read the malicious archive with a vulnerable version of Archive::Tar [patch_id=2539781].
Affected code
The vulnerability is in the `_read_tar()` subroutine in `lib/Archive/Tar.pm`. The function reads each tar entry's payload using `$handle->read($$data, $block)`, where `$block` is derived from the entry's 12-byte size field in the tar header with no upper bound [patch_id=2539781]. The non-skip extract path at Tar.pm:501 allocates a Perl scalar of the declared size before returning a read-short error [ref_id=1].
What the fix does
The patch introduces a new variable `$MAX_FILE_SIZE` (default 1 GiB) and adds a check in `_read_tar()` before any allocation: if the entry's declared size exceeds `$MAX_FILE_SIZE`, the entry is skipped with an error via `$self->_error()` and `next LOOP` [patch_id=2539781]. This gates both the chunked-skip and full-slurp branches, preventing the allocation of oversized scalars. The variable can be set to 0 to disable the cap [ref_id=1].
Preconditions
- inputVictim must process a crafted tar archive using a vulnerable version of Archive::Tar (before 3.10)
- authNo authentication or special privileges required
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.