Skip to main content

Text::LineFold EUVDEUVD-2026-33466

| CVE-2026-8594 MEDIUM
Asymmetric Resource Consumption (Amplification) (CWE-405)
2026-05-30 CPANSec GHSA-xfcf-wwr2-w555
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 01, 2026 - 17:27 vuln.today
Analysis Generated
Jun 01, 2026 - 17:27 vuln.today
CVSS changed
Jun 01, 2026 - 17:22 NVD
6.2 (MEDIUM)
CVE Published
May 30, 2026 - 15:32 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.

Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.

A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.

Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.

AnalysisAI

Resource amplification in Text::LineFold (Unicode-LineBreak Perl distribution, versions through 2019.001) causes output to be duplicated proportionally to the number of Unicode special line break characters present in the input string. The fold() method incorrectly passes the entire input string to the break() function on each segment iteration, rather than passing only the current segment, producing amplified output that grows with each VT, FF, or similar line break character encountered. No public exploit has been identified at time of analysis and EPSS sits at the 0th percentile, but any application accepting untrusted input and passing it through fold() is exposed to potential denial of service.

Technical ContextAI

Text::LineFold is a Perl module distributed as part of the Unicode-LineBreak package (author NEZUMI on CPAN, CPE: cpe:2.3:a:nezumi:text::linefold:*:*:*:*:*:*:*:*). Its fold() method implements Unicode line-breaking by splitting an input string into segments wherever special break characters appear (VT U+000B, FF U+000C, and others defined by Unicode line-breaking rules), then calling the internal break() function to reflow each segment. The defect, present at lines 407-415 of lib/Text/LineFold.pm, is that each iteration passes the full original string variable $str to break() instead of the current segment variable $s. This is a textbook CWE-405 (Asymmetric Resource Consumption - Amplification) flaw: the output length scales as O(N×M) where N is segment count and M is input length. The patch confirmed in GitHub PR #6 is a single-character correction: replacing $self->break($str) with $self->break($s).

RemediationAI

Apply the CPANSec-provided patch available at https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch, which corrects the fold() function to pass the current segment variable $s rather than the full input $str to break(). The upstream code fix is tracked in GitHub PR #6 at https://github.com/hatukanezumi/Unicode-LineBreak/pull/6; a released patched version of the Unicode-LineBreak CPAN distribution has not been independently confirmed from the available data - monitor CPAN for a new release from NEZUMI. As an interim compensating control, applications that pass untrusted input to Text::LineFold's fold() should strip or limit Unicode special line break characters (VT U+000B, FF U+000C, LS U+2028, PS U+2029, and NEL U+0085) before invoking fold(); note that this may alter the formatting of legitimately structured text. Additionally, enforcing a maximum input length before calling fold() limits the worst-case memory amplification at the cost of truncating long inputs.

Share

EUVD-2026-33466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy