Cyber Resilience

CVE-2026-9538

High

Published: 26 May 2026

Published
26 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0044 35.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-9538 is a high-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Archive\ \. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 35.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header. _read_tar() reads each entry's payload with $handle->read($$data, $block), where $block is derived from the entry's 12-byte size field in the tar header…

more

with no upper bound on that value. A crafted header declaring a multi-gigabyte size causes Perl to allocate a scalar of that size.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Memory exhaustion via unbounded tar header size field directly enables application/system DoS through exploitation of input parsing.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42496Same product: Archive\ \
CVE-2026-42497Same product: Archive\ \
CVE-2025-30211Shared CWE-789
CVE-2026-24146Shared CWE-789
CVE-2026-20048Shared CWE-789
CVE-2026-8485Shared CWE-789
CVE-2026-44375Shared CWE-789
CVE-2026-28253Shared CWE-789
CVE-2026-33524Shared CWE-789
CVE-2024-52791Shared CWE-789

Affected Assets

archive\
\
tar_project

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References