Volerion logoVolerion
Volerion logoVolerion

Archive::Tar Memory Exhaustion Vulnerability in Perl

Vulnerability

A memory exhaustion vulnerability exists in Archive::Tar versions prior to 3.10 for Perl. The issue arises from the tar header's entry size field, which is controlled by the attacker. The _read_tar() function reads each entry's payload using a method that allows for arbitrary size allocations based on the declared entry size, without any upper limit. This can lead to excessive memory allocation, as demonstrated by a crafted header that claims a multi-gigabyte size, causing Perl to allocate a scalar of that size.

Impact

Exploitation of this vulnerability can lead to denial-of-service conditions, causing the application to consume excessive amounts of memory.

Reproduction

To reproduce this vulnerability, create a tar archive with a header that declares an entry size of several gigabytes. When this archive is processed by Archive::Tar versions prior to 3.10, the library will allocate memory corresponding to the declared size, leading to memory exhaustion.

Remediation

Users are advised to upgrade to Archive::Tar version 3.10 or later.

Added: May 26, 2026, 5:44 PM
Updated: May 26, 2026, 5:44 PM

Vulnerability Rating

Custom Algorithm
spread
6.6
impact
2.5
exploitability
5.7
remediation
7.7
relevance
9.6
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.