Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
The Perl_study_chunk function in the regcomp_study.c file incorrectly checked buffer size for a concatenated substring — it operated on character count instead of byte count. With a quantified constant substring with a large minimum repetition count, the expression mincount * l could overflow the SSize_t type, causing SvGROW to allocate too little memory. The subsequent copy operation exceeded the boundaries of the allocated heap buffer. An attacker can trigger this flaw by providing a crafted regular expression that is then compiled by the target application on a 32-bit Perl environment.
An attacker can cause data to be written beyond heap buffer boundaries during regular expression compilation, potentially enabling arbitrary code execution (RCE), disclosure of sensitive data, or application instability.
Apply the patch available in the Perl project repository (commit 5e7f119eb2bb1181be908701f22bf7068e722f1c) or update Perl to a version containing the fix according to vendor references. As a workaround, consider migrating to a 64-bit compilation, where SSize_t overflow does not occur.
Perl in versions up to and including 5.43.10, 32-bit compilations only.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPerl
APPPerl≤ 5.43.10
Related vulnerabilities
Podatność zlib w module Compress::Raw::Zlib w Perl (CVE-2026-4176)
In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execut...
Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that trigge...
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operatio...
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensiti...