Description
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.

Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Published: 2026-03-29
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

Compress::Raw::Zlib is bundled with the Perl interpreter as a core module. The vendored copy of zlib that it uses contains several known vulnerabilities, including CVE‑2026‑3381. When the module processes specially crafted compressed data, it can execute arbitrary code in the context of the running Perl interpreter, potentially compromising the entire system.

Affected Systems

Perl releases from 5.9.4 up to 5.40.3, from 5.41.0 up to 5.42.1 and from 5.43.0 up to 5.43.8 distribute the vulnerable module. These versions are shipped by SHAY. The issue was fixed in Perl 5.40.4, 5.42.2 and 5.43.9, which ship Compress::Raw::Zlib 2.222. Some operating‑system distributors rebuild Perl to link against the system zlib; if their zlib library is version 1.3.2 or newer or has relevant patches, the vulnerability may not apply.

Risk and Exploitability

The CVSS score of 9.8 indicates a high impact if the flaw is exploited. The EPSS score of less than 1 % reflects current evidence of exploitation activity but does not diminish the risk; it still warrants prompt remediation. Because the vulnerability is not listed in the CISA KEV catalog, it may not be catalogued as a known exploited vulnerability yet, but the high severity warrants attention. Attackers could potentially provide crafted compressed input to any Perl process, whether executed locally or through a networked service that runs Perl code.

Generated by OpenCVE AI on March 31, 2026 at 07:22 UTC.

Remediation

Vendor Solution

Update to Perl stable release 5.40.4 or 5.42.2 or later, which include Compress::Raw::Zlib 2.222.

Vendor Workaround

Install Compress::Raw::Zlib 2.220 or later into your @INC include path, so it takes precedence over the vulnerable core module shipped with Perl. Some OS distributions patch their perl package to build Compress::Raw::Zlib against the system zlib rather than the vendored copy. Users of these distributions may not be affected if their system zlib has been updated to 1.3.2 or later, or includes backported patches for the relevant vulnerabilities.

OpenCVE Recommended Actions

  • Upgrade to a Perl stable release of at least 5.40.4 or 5.42.2, which includes the fixed Compress::Raw::Zlib module 2.222.
  • If an immediate upgrade is not possible, install Compress::Raw::Zlib version 2.220 or newer into your @INC path so that it takes precedence over the bundled vulnerable module.
  • For distributions that rebuild Perl against the system zlib, verify that your system zlib is at least version 1.3.2 or that any required patches have been applied; upgrade the library if necessary.
  • Keep abreast of security advisories and apply any future fixes as soon as they become available.

Generated by OpenCVE AI on March 31, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Perl
Perl perl
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
Vendors & Products Perl
Perl perl

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1104
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Shay
Shay perl
Vendors & Products Shay
Shay perl

Mon, 30 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
References

Sun, 29 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Title Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib
Weaknesses CWE-1395
References

Subscriptions

Perl Perl
Shay Perl
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-30T15:35:08.162Z

Reserved: 2026-03-14T16:17:19.077Z

Link: CVE-2026-4176

cve-icon Vulnrichment

Updated: 2026-03-30T04:56:37.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-29T21:16:15.717

Modified: 2026-04-22T17:31:45.770

Link: CVE-2026-4176

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-29T20:50:51Z

Links: CVE-2026-4176 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:31Z

Weaknesses