CVE-2026-9538: Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.

UnknownCVSS not scoredNot KEV-listed Updated May 26, 2026, 03:06 UTC (UTC+00:00)

Analyst readout for executives and security teams

Plain-English summary

A malformed tar archive can make vulnerable Perl Archive::Tar versions allocate excessive memory while reading an entry. The practical impact is denial of service: a process that accepts or scans untrusted tar files may run out of memory or crash.

Executive priority

Treat as a targeted denial-of-service risk. It is not shown as actively exploited, but externally supplied archive processing should be patched promptly because failures may affect availability.

Technical view

Archive::Tar before 3.10 derives an entry read size from the tar header size field without an upper bound. In _read_tar(), that value reaches a read into a Perl scalar, allowing attacker-controlled oversized allocation. This maps to CWE-789: uncontrolled memory allocation.

Likely exposure

Exposure is most likely in Perl applications, automation, package-processing jobs, or security scanners that use Archive::Tar to process tar archives from users, partners, CI artifacts, or other untrusted sources.

Exploitation context

The bundle does not show KEV listing, CVSS scoring, or confirmed active exploitation. Exploitation would require the target to parse a crafted tar archive with a vulnerable Archive::Tar version.

Researcher notes

The source bundle identifies the vulnerable behavior and a 3.10 release/patch reference, but provides no CVSS vector, affected CPEs, exploit telemetry, or distribution-specific fixed package data.

Mitigation direction

Upgrade Archive::Tar or Archive-Tar to version 3.10 or later.
Prioritize systems that process untrusted tar archives automatically.
Apply memory limits around archive-processing workers where practical.
Check vendor or distribution advisories for backported fixes.

Validation and detection

Inventory Perl dependencies for Archive::Tar or Archive-Tar versions before 3.10.
Identify services and jobs that parse tar archives from untrusted sources.
Confirm upgraded hosts load the fixed module version.
Review logs for archive-processing crashes or memory exhaustion events.

Prepared: Jun 1, 2026, 02:43 UTC (UTC+00:00)
Confidence: high
Sources: 5

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-789: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup

cve · low confidence lookup

CVE-2026-9538 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup

Vulnerability profile CVE Program record

Severity: Unknown
CVSS: Not scored
Known Exploited: No
Published: May 26, 2026, 00:18 UTC (UTC+00:00)

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0 CVSS vectors

5 Timeline events

1 ADP providers

4 Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

Source timeline CPANSec

Issue reported.
May 25, 2026, 00:00 UTC (UTC+00:00)
Source timeline CPANSec

Version 3.10 released.
May 25, 2026, 00:00 UTC (UTC+00:00)
CVE reserved CVE Program

The CVE ID was reserved by the assigning CNA.
May 25, 2026, 23:04 UTC (UTC+00:00)
CVE published CVE Program

The CVE record was published.
May 26, 2026, 00:18 UTC (UTC+00:00)
CVE updated CVE Program

The CVE record metadata indicates this as the latest update time.
May 26, 2026, 03:06 UTC (UTC+00:00)

ADP provider summaries

Source materials

CVE List V5 source CVE List V5
https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch CVE reference, CPANSec · patch
https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes CVE reference, CPANSec · release-notes
http://www.openwall.com/lists/oss-security/2026/05/26/4 CVE reference, CVE

Affected products

Products and packages named in the record

Vendor Product Version / package Status

BINGOS Archive::Tar Archive-Tar, 0 unaffected

Weakness

CWE details

CWE-789

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-789 · source CWE mapping

Memory Allocation with Excessive Size Value

Memory Allocation with Excessive Size Value represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs