CVE-2025-40909

EUVD-2025-16506
Perl threads have a working directory race condition where file operations may target unintended paths.

If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. 

This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit.

The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
CPANSecCNA
5.9 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
perlperl
5.13.6 ≤
𝑥
< 5.41.13
CNA
Debian logo
Debian Releases
Debian Product
Codename
perl
bookworm
5.36.0-7+deb12u3
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
5.32.1-4+deb11u5
fixed
forky
5.40.1-7
fixed
sid
5.40.1-7
fixed
trixie
5.40.1-6
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
perl
suse enterprise desktop 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise desktop 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP4
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP7
5.26.1-150300.17.20.1
fixed
perl-base
suse enterprise desktop 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise desktop 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP4
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP7
5.26.1-150300.17.20.1
fixed
perl-base-32bit
suse enterprise desktop 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise desktop 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP4
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP7
5.26.1-150300.17.20.1
fixed
perl-core-DB_File
suse enterprise desktop 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise desktop 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise sap 15 SP7
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP4
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP6
5.26.1-150300.17.20.1
fixed
suse enterprise server 15 SP7
5.26.1-150300.17.20.1
fixed
perl-doc
suse enterprise server 15 SP4
5.26.1-150300.17.20.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
perl
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-Attribute-Handlers
RHEL 8
0:0.99-423.el8_10
fixed
RHEL 9
0:1.01-481.1.el9_6
fixed
perl-AutoLoader
RHEL 9
0:5.74-481.1.el9_6
fixed
perl-AutoSplit
RHEL 9
0:5.74-481.1.el9_6
fixed
perl-B
RHEL 9
0:1.80-481.1.el9_6
fixed
perl-Benchmark
RHEL 9
0:1.23-481.1.el9_6
fixed
perl-Class-Struct
RHEL 9
0:0.66-481.1.el9_6
fixed
perl-Config-Extensions
RHEL 9
0:0.03-481.1.el9_6
fixed
perl-DBM
RHEL 9
0:0.06-481.1.el9_6
fixed
perl-Devel-Peek
RHEL 8
0:1.26-423.el8_10
fixed
RHEL 9
0:1.28-481.1.el9_6
fixed
perl-Devel-SelfStubber
RHEL 8
0:1.06-423.el8_10
fixed
RHEL 9
0:1.06-481.1.el9_6
fixed
perl-DirHandle
RHEL 9
0:1.05-481.1.el9_6
fixed
perl-Dumpvalue
RHEL 9
0:2.27-481.1.el9_6
fixed
perl-DynaLoader
RHEL 9
0:1.47-481.1.el9_6
fixed
perl-English
RHEL 9
0:1.11-481.1.el9_6
fixed
perl-Errno
RHEL 8
0:1.28-423.el8_10
fixed
RHEL 9
0:1.30-481.1.el9_6
fixed
perl-ExtUtils-Constant
RHEL 9
0:0.25-481.1.el9_6
fixed
perl-ExtUtils-Embed
RHEL 8
0:1.34-423.el8_10
fixed
RHEL 9
0:1.35-481.1.el9_6
fixed
perl-ExtUtils-Miniperl
RHEL 8
0:1.06-423.el8_10
fixed
RHEL 9
0:1.09-481.1.el9_6
fixed
perl-Fcntl
RHEL 9
0:1.13-481.1.el9_6
fixed
perl-File-Basename
RHEL 9
0:2.85-481.1.el9_6
fixed
perl-File-Compare
RHEL 9
0:1.100.600-481.1.el9_6
fixed
perl-File-Copy
RHEL 9
0:2.34-481.1.el9_6
fixed
perl-File-DosGlob
RHEL 9
0:1.12-481.1.el9_6
fixed
perl-File-Find
RHEL 9
0:1.37-481.1.el9_6
fixed
perl-File-stat
RHEL 9
0:1.09-481.1.el9_6
fixed
perl-FileCache
RHEL 9
0:1.10-481.1.el9_6
fixed
perl-FileHandle
RHEL 9
0:2.03-481.1.el9_6
fixed
perl-FindBin
RHEL 9
0:1.51-481.1.el9_6
fixed
perl-GDBM
RHEL 9
0:1.18-481.1.el9_6
fixed
perl-Getopt-Std
RHEL 9
0:1.12-481.1.el9_6
fixed
perl-Hash-Util
RHEL 9
0:0.23-481.1.el9_6
fixed
perl-Hash-Util-FieldHash
RHEL 9
0:1.20-481.1.el9_6
fixed
perl-I18N-Collate
RHEL 9
0:1.02-481.1.el9_6
fixed
perl-I18N-LangTags
RHEL 9
0:0.44-481.1.el9_6
fixed
perl-I18N-Langinfo
RHEL 9
0:0.19-481.1.el9_6
fixed
perl-IO
RHEL 8
0:1.38-423.el8_10
fixed
RHEL 9
0:1.43-481.1.el9_6
fixed
perl-IO-Zlib
RHEL 8
1:1.10-423.el8_10
fixed
perl-IPC-Open3
RHEL 9
0:1.21-481.1.el9_6
fixed
perl-Locale-Maketext-Simple
RHEL 8
1:0.21-423.el8_10
fixed
RHEL 9
1:0.21-481.1.el9_6
fixed
perl-Math-Complex
RHEL 8
0:1.59-423.el8_10
fixed
RHEL 9
0:1.59-481.1.el9_6
fixed
perl-Memoize
RHEL 8
0:1.03-423.el8_10
fixed
RHEL 9
0:1.03-481.1.el9_6
fixed
perl-Module-Loaded
RHEL 8
1:0.08-423.el8_10
fixed
RHEL 9
1:0.08-481.1.el9_6
fixed
perl-NDBM
RHEL 9
0:1.15-481.1.el9_6
fixed
perl-NEXT
RHEL 9
0:0.67-481.1.el9_6
fixed
perl-Net
RHEL 9
0:1.02-481.1.el9_6
fixed
perl-Net-Ping
RHEL 8
0:2.55-423.el8_10
fixed
perl-ODBM
RHEL 9
0:1.16-481.1.el9_6
fixed
perl-Opcode
RHEL 9
0:1.48-481.1.el9_6
fixed
perl-POSIX
RHEL 9
0:1.94-481.1.el9_6
fixed
perl-Pod-Functions
RHEL 9
0:1.13-481.1.el9_6
fixed
perl-Pod-Html
RHEL 8
0:1.22.02-423.el8_10
fixed
RHEL 9
0:1.25-481.1.el9_6
fixed
perl-Safe
RHEL 9
0:2.41-481.1.el9_6
fixed
perl-Search-Dict
RHEL 9
0:1.07-481.1.el9_6
fixed
perl-SelectSaver
RHEL 9
0:1.02-481.1.el9_6
fixed
perl-SelfLoader
RHEL 8
0:1.23-423.el8_10
fixed
RHEL 9
0:1.26-481.1.el9_6
fixed
perl-Symbol
RHEL 9
0:1.08-481.1.el9_6
fixed
perl-Sys-Hostname
RHEL 9
0:1.23-481.1.el9_6
fixed
perl-Term-Complete
RHEL 9
0:1.403-481.1.el9_6
fixed
perl-Term-ReadLine
RHEL 9
0:1.17-481.1.el9_6
fixed
perl-Test
RHEL 8
0:1.30-423.el8_10
fixed
RHEL 9
0:1.31-481.1.el9_6
fixed
perl-Text-Abbrev
RHEL 9
0:1.02-481.1.el9_6
fixed
perl-Thread
RHEL 9
0:3.05-481.1.el9_6
fixed
perl-Thread-Semaphore
RHEL 9
0:2.13-481.1.el9_6
fixed
perl-Tie
RHEL 9
0:4.6-481.1.el9_6
fixed
perl-Tie-File
RHEL 9
0:1.06-481.1.el9_6
fixed
perl-Tie-Memoize
RHEL 9
0:1.1-481.1.el9_6
fixed
perl-Time
RHEL 9
0:1.03-481.1.el9_6
fixed
perl-Time-Piece
RHEL 8
0:1.31-423.el8_10
fixed
RHEL 9
0:1.3401-481.1.el9_6
fixed
perl-Unicode-UCD
RHEL 9
0:0.75-481.1.el9_6
fixed
perl-User-pwent
RHEL 9
0:1.03-481.1.el9_6
fixed
perl-autouse
RHEL 9
0:1.11-481.1.el9_6
fixed
perl-base
RHEL 9
0:2.27-481.1.el9_6
fixed
perl-blib
RHEL 9
0:1.07-481.1.el9_6
fixed
perl-debugger
RHEL 9
0:1.56-481.1.el9_6
fixed
perl-deprecate
RHEL 9
0:0.04-481.1.el9_6
fixed
perl-devel
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-diagnostics
RHEL 9
0:1.37-481.1.el9_6
fixed
perl-doc
RHEL 9
0:5.32.1-481.1.el9_6
fixed
perl-encoding-warnings
RHEL 9
0:0.13-481.1.el9_6
fixed
perl-fields
RHEL 9
0:2.27-481.1.el9_6
fixed
perl-filetest
RHEL 9
0:1.03-481.1.el9_6
fixed
perl-if
RHEL 9
0:0.60.800-481.1.el9_6
fixed
perl-interpreter
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-less
RHEL 9
0:0.03-481.1.el9_6
fixed
perl-lib
RHEL 9
0:0.65-481.1.el9_6
fixed
perl-libnetcfg
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-libs
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-locale
RHEL 9
0:1.09-481.1.el9_6
fixed
perl-macros
RHEL 8
4:5.26.3-423.el8_10
fixed
RHEL 9
4:5.32.1-481.1.el9_6
fixed
perl-meta-notation
RHEL 9
0:5.32.1-481.1.el9_6
fixed
perl-mro
RHEL 9
0:1.23-481.1.el9_6
fixed
perl-open
RHEL 8
0:1.11-423.el8_10
fixed
RHEL 9
0:1.12-481.1.el9_6
fixed
perl-overload
RHEL 9
0:1.31-481.1.el9_6
fixed
perl-overloading
RHEL 9
0:0.02-481.1.el9_6
fixed
perl-ph
RHEL 9
0:5.32.1-481.1.el9_6
fixed
perl-sigtrap
RHEL 9
0:1.09-481.1.el9_6
fixed
perl-sort
RHEL 9
0:2.04-481.1.el9_6
fixed
perl-subs
RHEL 9
0:1.03-481.1.el9_6
fixed
perl-tests
RHEL 8
4:5.26.3-423.el8_10
fixed
perl-utils
RHEL 8
0:5.26.3-423.el8_10
fixed
RHEL 9
0:5.32.1-481.1.el9_6
fixed
perl-vars
RHEL 9
0:1.05-481.1.el9_6
fixed
perl-vmsish
RHEL 9
0:1.04-481.1.el9_6
fixed
Common Weakness Enumeration
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098226
https://github.com/Perl/perl5/commit/11a11ecf4bea72b17d250cfb43c897be1341861e
https://github.com/Perl/perl5/commit/918bfff86ca8d6d4e4ec5b30994451e0bd74aba9.patch
https://github.com/Perl/perl5/issues/10387
https://github.com/Perl/perl5/issues/23010
https://perldoc.perl.org/5.14.0/perl5136delta#Directory-handles-not-copied-to-threads
https://www.openwall.com/lists/oss-security/2025/05/22/2
http://seclists.org/fulldisclosure/2025/Sep/53
http://seclists.org/fulldisclosure/2025/Sep/54
http://seclists.org/fulldisclosure/2025/Sep/55
http://www.openwall.com/lists/oss-security/2025/05/23/1
http://www.openwall.com/lists/oss-security/2025/05/30/4
http://www.openwall.com/lists/oss-security/2025/06/02/2
http://www.openwall.com/lists/oss-security/2025/06/02/5
http://www.openwall.com/lists/oss-security/2025/06/02/6
http://www.openwall.com/lists/oss-security/2025/06/02/7
http://www.openwall.com/lists/oss-security/2025/06/03/1
https://lists.debian.org/debian-lts-announce/2026/04/msg00018.html