CVE-2026-8376
Published: May 26, 2026Last modified: June 2, 2026
Description
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | perl | Not affected (5.36.0-r0) |
| 25 LTS | perl | Not affected (5.40.2-r0) | |
| Stream | perl | Not affected (5.36.0-r0) | |
| Hardened Containers | 23 LTS | perl | Not affected (5.36.0-r0) |
| 25 LTS | perl | Not affected (5.40.2-r0) | |
| Stream | perl | Not affected (5.36.0-r0) |