Skip to main content

Perl CVE-2026-8376

| EUVDEUVD-2026-31772 CRITICAL
Integer Overflow to Buffer Overflow (CWE-680)
2026-05-25 CPANSec GHSA-mpxq-89h3-qc47
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
May 27, 2026 - 21:47 vuln.today
Analysis Generated
May 27, 2026 - 21:47 vuln.today
CVSS changed
May 27, 2026 - 19:37 NVD
9.8 (CRITICAL)
CVE Published
May 25, 2026 - 23:53 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

AnalysisAI

Heap-based buffer overflow in Perl interpreters up to and including 5.43.10 on 32-bit builds lets a caller that compiles an attacker-controlled regular expression corrupt heap memory at regex compile time, with potential for code execution. The flaw stems from an integer overflow in Perl_study_chunk when optimizing a repeated fixed substring, and is rated CVSS 9.8 by NVD. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; the issue is limited to 32-bit Perl builds and applications that feed untrusted input into regex compilation.

Technical ContextAI

Perl's regex engine includes an optimization pass (Perl_study_chunk in regcomp_study.c) that joins and pre-expands fixed substrings to speed up matching. When a fixed string is quantified with a minimum repeat count, the engine allocates a buffer via SvGROW and copies the substring mincount times. The bug, classified as CWE-680 (Integer Overflow to Buffer Overflow), is that the size check was performed in characters rather than bytes: the byte length computed as mincount * l (length) could overflow the signed SSize_t type, which on 32-bit builds is only 32 bits wide. The overflow yields a small, wrapped value passed to SvGROW, producing an undersized allocation, after which the subsequent copy writes past the end of the heap buffer. The official commit (5e7f119e) adds an explicit overflow guard (mincount >= SSize_t_MAX/l or old > SSize_t_MAX - mincount*l) that raises 'Regexp out of space' instead of overflowing. The affected component is the core Perl interpreter itself (CPE cpe:2.3:a:shay:perl:*), not a specific CPAN module.

RemediationAI

Upstream fix available (commit 5e7f119eb2bb1181be908701f22bf7068e722f1c); a released patched tagged version was not independently confirmed from the provided data, so apply the vendor/distribution build that incorporates this commit once published, or rebuild Perl from source with the patch applied (it adds an overflow guard in Perl_study_chunk that fails compilation with 'Regexp out of space' instead of overflowing). As a compensating control where patching is not immediately possible, the most effective and low-cost mitigation is to run a 64-bit Perl build instead of 32-bit, which removes the SSize_t overflow condition entirely; the trade-off is increased memory footprint and the need to rebuild/redeploy. If the platform must remain 32-bit, stop passing untrusted input into regex compilation - validate or whitelist regex sources, and cap the maximum quantifier repeat count permitted in user-supplied patterns (trade-off: may reject legitimate large-count patterns). Reference the upstream commit and the oss-security advisory (http://www.openwall.com/lists/oss-security/2026/05/26/1) when coordinating distro updates.

More in Perl

View all
CVE-2012-6329 HIGH POC
7.5 Jan 04

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand

CVE-2017-12814 CRITICAL POC
9.8 Sep 28

Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before

CVE-2015-8608 CRITICAL POC
9.8 Feb 07

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of

CVE-2018-18314 CRITICAL POC
9.8 Dec 07

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated

CVE-2018-18312 CRITICAL POC
9.8 Dec 05

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid

CVE-2018-18313 CRITICAL POC
9.1 Dec 07

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa

CVE-2016-2381 HIGH
7.5 Apr 08

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e

CVE-2023-31484 HIGH POC
8.1 Apr 29

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS

CVE-2016-6185 HIGH POC
7.8 Aug 02

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig

CVE-2018-12015 HIGH POC
7.5 Jun 07

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha

CVE-2015-8853 HIGH
7.5 May 25

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe

CVE-2017-12883 CRITICAL
9.1 Sep 19

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al

Vendor StatusVendor

SUSE

Severity: High
Product Status
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed
SLES15-SP6-CHOST-BYOS-EC2 Fixed

Share

CVE-2026-8376 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy