Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.
Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.
A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.
Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.
AnalysisAI
Resource amplification in Text::LineFold (Unicode-LineBreak Perl distribution, versions through 2019.001) causes output to be duplicated proportionally to the number of Unicode special line break characters present in the input string. The fold() method incorrectly passes the entire input string to the break() function on each segment iteration, rather than passing only the current segment, producing amplified output that grows with each VT, FF, or similar line break character encountered. No public exploit has been identified at time of analysis and EPSS sits at the 0th percentile, but any application accepting untrusted input and passing it through fold() is exposed to potential denial of service.
Technical ContextAI
Text::LineFold is a Perl module distributed as part of the Unicode-LineBreak package (author NEZUMI on CPAN, CPE: cpe:2.3:a:nezumi:text::linefold:*:*:*:*:*:*:*:*). Its fold() method implements Unicode line-breaking by splitting an input string into segments wherever special break characters appear (VT U+000B, FF U+000C, and others defined by Unicode line-breaking rules), then calling the internal break() function to reflow each segment. The defect, present at lines 407-415 of lib/Text/LineFold.pm, is that each iteration passes the full original string variable $str to break() instead of the current segment variable $s. This is a textbook CWE-405 (Asymmetric Resource Consumption - Amplification) flaw: the output length scales as O(N×M) where N is segment count and M is input length. The patch confirmed in GitHub PR #6 is a single-character correction: replacing $self->break($str) with $self->break($s).
RemediationAI
Apply the CPANSec-provided patch available at https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch, which corrects the fold() function to pass the current segment variable $s rather than the full input $str to break(). The upstream code fix is tracked in GitHub PR #6 at https://github.com/hatukanezumi/Unicode-LineBreak/pull/6; a released patched version of the Unicode-LineBreak CPAN distribution has not been independently confirmed from the available data - monitor CPAN for a new release from NEZUMI. As an interim compensating control, applications that pass untrusted input to Text::LineFold's fold() should strip or limit Unicode special line break characters (VT U+000B, FF U+000C, LS U+2028, PS U+2029, and NEL U+0085) before invoking fold(); note that this may alter the formatting of legitimately structured text. Additionally, enforcing a maximum input length before calling fold() limits the worst-case memory amplification at the cost of truncating long inputs.
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stac
Vulnerability in the Oracle Text component of Oracle Database Server. Rated high severity (CVSS 8.2), this vulnerability
Vulnerability in the Oracle Text component of Oracle Database Server. Rated high severity (CVSS 8.1), this vulnerability
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 c
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take sign
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder ent
Vulnerability in the Oracle Text component of Oracle Database Server. Rated high severity (CVSS 7.2), this vulnerability
Vulnerability in the Oracle Text component of Oracle Database Server. Rated low severity (CVSS 3.1), this vulnerability
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33466
GHSA-xfcf-wwr2-w555