Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
The Compress::Raw::Zlib module is delivered as a built-in core module (dual-life core module) in the Perl package and contains its own bundled copy of the zlib library. This bundled version of zlib is vulnerable to CVE-2026-3381 and CVE-2026-27171, which encompass a number of security flaws. The fix consists of updating the built-in Compress::Raw::Zlib module to version 2.221.
A remote attacker, without requiring authentication, can compromise the confidentiality, integrity, and availability of the system — potentially gaining full control over the vulnerable application or system.
Perl should be updated to version 5.40.4-RC1 or later (stable branch), 5.42.2-RC1 or later, or 5.43.9 or later (developer branch). Alternatively, manual update of the Compress::Raw::Zlib module to version 2.221 (commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94) is possible. Details are available in the vendor references.
Perl in versions from 5.9.4 to (excluding) 5.40.4-RC1, from 5.41.0 to (excluding) 5.42.2-RC1, and from 5.43.0 to (excluding) 5.43.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPerl
APPPerl5.9.4 – 5.40.4 (bez)5.41.0 – 5.42.2 (bez)5.43.0 – 5.43.9 (bez)
Related vulnerabilities
Heap buffer overflow w Perl przy kompilacji wyrażeń regularnych (32-bit)
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execut...
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that trigge...
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operatio...
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensiti...