Skip to main content

Perl CVE-2026-4176

| EUVDEUVD-2026-17044 CRITICAL
Dependency on Vulnerable Third-Party Component (CWE-1395)
2026-03-29 CPANSec GHSA-q2q4-jjp8-f6m3
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.0 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 17:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 29, 2026 - 21:15 euvd
EUVD-2026-17044
Analysis Generated
Mar 29, 2026 - 21:15 vuln.today
Patch released
Mar 29, 2026 - 21:15 nvd
Patch available
CVE Published
Mar 29, 2026 - 20:50 nvd
CRITICAL 9.8

DescriptionCVE.org

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.

Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

AnalysisAI

Perl versions 5.9.4-5.40.3, 5.41.0-5.42.1, and 5.43.0-5.43.8 bundle a vulnerable version of Compress::Raw::Zlib that inherits multiple information-disclosure vulnerabilities from a vendored zlib library, including CVE-2026-27171. Affected users running these Perl versions can experience data exposure through the bundled compression module. Vendor patches are available in Perl 5.40.4, 5.42.2, and 5.43.9 via Compress::Raw::Zlib 2.221.

Technical ContextAI

Perl distributes Compress::Raw::Zlib as a dual-life core module-maintained both in the Perl source tree and on CPAN as a standalone package. This module wraps zlib, a widely-used compression library. The vulnerability chain stems from CVE-2026-3381 (a zlib flaw) and CVE-2026-27171 (another zlib vulnerability), both of which are inherited when Perl vendors an outdated zlib snapshot. CWE-1395 (Incomplete Reference Counting) indicates the root cause involves improper memory or resource tracking in zlib's handling of compressed data structures. Affected CPE: cpe:2.3:a:shay:perl:*:*:*:*:*:*:*:* covers all Perl versions until patched branches.

RemediationAI

Vendor-released patch: Upgrade to Perl 5.40.4 or later, Perl 5.42.2 or later, or Perl 5.43.9 or later, which bundle Compress::Raw::Zlib 2.221. Alternatively, users on unpatched Perl versions can independently upgrade Compress::Raw::Zlib to version 2.221 from CPAN via 'cpan Compress::Raw::Zlib' or 'perl -MCPAN -e "install Compress::Raw::Zlib"'. For systems with custom Perl builds, ensure zlib dependencies are updated to a non-vulnerable version before rebuilding. Consult https://lists.security.metacpan.org/cve-announce/msg/37638919/ for CPANSec advisories and https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94 to verify the upstream fix.

More in Perl

View all
CVE-2012-6329 HIGH POC
7.5 Jan 04

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand

CVE-2017-12814 CRITICAL POC
9.8 Sep 28

Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before

CVE-2015-8608 CRITICAL POC
9.8 Feb 07

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of

CVE-2018-18314 CRITICAL POC
9.8 Dec 07

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated

CVE-2018-18312 CRITICAL POC
9.8 Dec 05

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid

CVE-2018-18313 CRITICAL POC
9.1 Dec 07

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa

CVE-2016-2381 HIGH
7.5 Apr 08

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e

CVE-2023-31484 HIGH POC
8.1 Apr 29

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS

CVE-2016-6185 HIGH POC
7.8 Aug 02

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig

CVE-2018-12015 HIGH POC
7.5 Jun 07

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha

CVE-2015-8853 HIGH
7.5 May 25

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe

CVE-2017-12883 CRITICAL
9.1 Sep 19

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-4176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy