CVE-2026-8376

EUVD-2026-31772

26.05.2026, 00:16

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Debian Releases

Debian Product

Codename

perl

bookworm	no-dsa
bookworm (security)	vulnerable
bullseye	postponed
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	no-dsa

Common Weakness Enumeration

CWE-680 - Integer Overflow to Buffer Overflow
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

Vulnerability Media Exposure

[GERMAN] Perl: Schwachstelle ermöglicht nicht spezifizierten Angriff
Ein Angreifer kann eine Schwachstelle in Perl ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Published: 2026-05-25T22:00:00+00:00

References

https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch

http://www.openwall.com/lists/oss-security/2026/05/26/1