CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-8376

CVSS 9.8pub. 2026-05-26upd. 2026-05-27

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

🤖 AI Analysis
How it works

The Perl_study_chunk function in the regcomp_study.c file incorrectly checked buffer size for a concatenated substring — it operated on character count instead of byte count. With a quantified constant substring with a large minimum repetition count, the expression mincount * l could overflow the SSize_t type, causing SvGROW to allocate too little memory. The subsequent copy operation exceeded the boundaries of the allocated heap buffer. An attacker can trigger this flaw by providing a crafted regular expression that is then compiled by the target application on a 32-bit Perl environment.

Impact

An attacker can cause data to be written beyond heap buffer boundaries during regular expression compilation, potentially enabling arbitrary code execution (RCE), disclosure of sensitive data, or application instability.

Mitigation & patch

Apply the patch available in the Perl project repository (commit 5e7f119eb2bb1181be908701f22bf7068e722f1c) or update Perl to a version containing the fix according to vendor references. As a workaround, consider migrating to a 64-bit compilation, where SSize_t overflow does not occur.

Who is affected

Perl in versions up to and including 5.43.10, 32-bit compilations only.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Perl

    APP
    Perl
    ≤ 5.43.10
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Memory
CWE
References

Related vulnerabilities

CVE-2026-4176CRITICAL9.8PL ✓ten sam produkt

Podatność zlib w module Compress::Raw::Zlib w Perl (CVE-2026-4176)

CVE-2022-48522CRITICAL9.8ten sam produkt

In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execut...

CVE-2018-18311CRITICAL9.8ten sam produkt

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that trigge...

CVE-2018-18314CRITICAL9.8ten sam produkt

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operatio...

CVE-2018-18313CRITICAL9.1ten sam produkt

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensiti...