Description
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.

Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Published: 2026-03-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: High impact, potential code execution
Action: Immediate Patch
AI Analysis

Impact

Compress::Raw::Zlib is a core module bundled with the Perl interpreter. The vendored copy of zlib is vulnerable to CVE-2026-3381 and related CVE-2026-27171. When the module processes compressed data, the underlying vulnerable zlib can be exploited, potentially leading to a high impact. Based on the high CVSS score, it is inferred that an attacker could achieve code execution or other severe compromise, but the exact attack outcome is not explicitly stated in the vendor’s description.

Affected Systems

Perl releases from 5.9.4 to 5.40.3, from 5.41.0 to 5.42.1, and from 5.43.0 to 5.43.8 ship the vulnerable Compress::Raw::Zlib. The issue was resolved in Perl 5.40.4, 5.42.2, and 5.43.9, which bundle Compress::Raw::Zlib 2.222. Some Linux distributions rebuild Perl to link against the system zlib; if the system zlib is 1.3.2 or newer, or includes backported patches, the vulnerability may not apply.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity, and the EPSS score of < 1% shows low current exploitation data, but the high potential impact requires immediate attention. Based on the description of the bundled module’s reliance on a vendored zlib implementation, it is inferred that the likely attack vector involves supplying specially crafted compressed data to a Perl process. This could occur through local file input or remote network interfaces that parse or decompress data within a Perl application. The vulnerability is not listed in the CISA KEV catalog, underscoring the need for proactive patching.

Generated by OpenCVE AI on April 28, 2026 at 09:01 UTC.

Remediation

Vendor Solution

Update to Perl stable release 5.40.4 or 5.42.2 or later, which include Compress::Raw::Zlib 2.222.

Vendor Workaround

Install Compress::Raw::Zlib 2.220 or later into your @INC include path, so it takes precedence over the vulnerable core module shipped with Perl. Some OS distributions patch their perl package to build Compress::Raw::Zlib against the system zlib rather than the vendored copy. Users of these distributions may not be affected if their system zlib has been updated to 1.3.2 or later, or includes backported patches for the relevant vulnerabilities.

OpenCVE Recommended Actions

  • Upgrade to a Perl stable release that includes Compress::Raw::Zlib 2.222 or later (5.40.4, 5.42.2, or 5.43.9).
  • If an immediate upgrade is not possible, install Compress::Raw::Zlib 2.220 or newer into the @INC path so it overrides the vulnerable core module.
  • For distributions that rebuild Perl against the system zlib, verify that the system zlib is at least version 1.3.2 or that relevant patches have been applied; upgrade the library if necessary.

Generated by OpenCVE AI on April 28, 2026 at 09:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Perl
Perl perl
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
Vendors & Products Perl
Perl perl

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1104
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Shay
Shay perl
Vendors & Products Shay
Shay perl

Mon, 30 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Sun, 29 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Title Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib
Weaknesses CWE-1395
References

Subscriptions

Perl Perl
Shay Perl
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-30T15:35:08.162Z

Reserved: 2026-03-14T16:17:19.077Z

Link: CVE-2026-4176

cve-icon Vulnrichment

Updated: 2026-03-30T04:56:37.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T21:16:15.717

Modified: 2026-04-22T17:31:45.770

Link: CVE-2026-4176

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-29T20:50:51Z

Links: CVE-2026-4176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:15:09Z

Weaknesses