Description
Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters.

The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption.

Note that the minify_utf8 function is an alias for minify.
Published: 2026-04-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Text::Minify::XS Perl module has a heap overflow when processing certain malformed UTF‑8 characters in its minify and minify_utf8 functions, as stated in the updated advisory. This overflow can corrupt heap memory and potentially cause a crash. While the description does not directly mention exploitation beyond memory corruption, the nature of a heap overflow *may* allow an attacker to achieve arbitrary code execution if they can influence the vulnerable code path. This possibility is inferred from the target type, not explicitly confirmed in the advisory.

Affected Systems

The vulnerability affects the RRWO Text::Minify::XS module for Perl, specifically all releases before v0.7.8 (including v0.3.0 through v0.7.7). Any application that imports this module and processes user‑supplied text is at risk of heap corruption if it uses one of the affected versions.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. An EPSS score of <1% indicates a very low estimated likelihood of exploitation. The vulnerability is not included in CISA's KEV catalog. Exploitation would require an attacker to supply a crafted malformed UTF‑8 string to the vulnerable functions. Successful exploitation could result in a denial of service and, depending on the application's privileges, might allow arbitrary code execution—an outcome inferred from the heap overflow behavior rather than explicitly documented.

Generated by OpenCVE AI on May 2, 2026 at 00:40 UTC.

Remediation

Vendor Solution

Upgrade to v0.7.8 or later.

Vendor Workaround

Validate that all strings passed to the minify and minify_utf8 functions.

OpenCVE Recommended Actions

  • Upgrade Text::Minify::XS to v0.7.8 or later
  • Ensure all strings passed to the minify and minify_utf8 functions are validated or sanitized to be well‑formed UTF‑8
  • If an upgrade is not immediately feasible, run the module in a sandboxed or constrained environment to limit potential impact

Generated by OpenCVE AI on May 2, 2026 at 00:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo text\
CPEs cpe:2.3:a:rrwo:text\:\:minify\:\:xs:*:*:*:*:*:perl:*:*
Vendors & Products Rrwo text\

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minify. Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minify.
Title Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify. Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minify.

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo text::minify::xs
Vendors & Products Rrwo
Rrwo text::minify::xs

Mon, 27 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
Description Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.
Title Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters
Weaknesses CWE-122
CWE-176
References

Subscriptions

Rrwo Text::minify::xs Text\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-01T16:03:02.431Z

Reserved: 2026-04-25T15:53:43.870Z

Link: CVE-2026-7040

cve-icon Vulnrichment

Updated: 2026-04-27T16:33:01.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T13:16:02.710

Modified: 2026-05-07T02:20:57.817

Link: CVE-2026-7040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses