Description
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Published: 2026-05-25
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Perl releases through 5.43.10 contain a heap buffer overflow that occurs when compiling regular expressions which include a repeated fixed string on 32‑bit builds. The bug arises because Perl's regex compiler calculates the required buffer size in characters, not bytes, for a quantified fixed substring with a large minimum count. Multiplying this minimum count by the substring length can overflow the signed size type, causing an undersized allocation and a subsequent memory overwrite during the compilation of the expression. An attacker who can supply a regular expression to a Perl program running on a 32‑bit build can trigger this overflow during compile time, potentially leading to arbitrary code execution or program termination.

Affected Systems

The vulnerability affects all 32‑bit builds of Perl versions up to and including 5.43.10. No explicit statement in the CVE covers 64‑bit builds, so the vulnerability status for those builds remains undetermined.

Risk and Exploitability

The EPSS score is less than 1%, the CVSS score is 7.3, and the vulnerability is not listed in CISA's KEV catalog, which limits public data on how frequently it is exploited. However, buffer overflows of this nature are historically classified as high‑severity, and the fact that the overflow occurs during regex compilation gives an attacker a relatively low barrier to exploitation when untrusted input is processed. Consequently, any application that compiles user‑supplied regular expressions on a 32‑bit Perl installation is at high risk of code execution or denial of service.

Generated by OpenCVE AI on May 27, 2026 at 22:23 UTC.

Remediation

Vendor Solution

Upgrade to a future perl release, or apply the upstream patch.

Vendor Workaround

On 32-bit perl builds, avoid compiling regular expressions from untrusted input until a fixed release is installed.

OpenCVE Recommended Actions

  • Upgrade Perl to version 5.43.11 or later, or apply the upstream patch provided at the referenced commit link.
  • If an upgrade cannot be performed immediately, do not compile any user‑supplied regular expressions on 32‑bit Perl installations until the patch or an updated release is applied.
  • Perform input validation to ensure that quantifier values for fixed substrings are not excessively large, thereby preventing the size calculation from exceeding the available address space.

Generated by OpenCVE AI on May 27, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Wed, 27 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Perl
Perl perl
CPEs cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
Vendors & Products Perl
Perl perl
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Tue, 26 May 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Shay
Shay perl
Vendors & Products Shay
Shay perl

Tue, 26 May 2026 00:15:00 +0000

Type Values Removed Values Added
Description Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Title Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds
Weaknesses CWE-680
References

Subscriptions

Perl Perl
Shay Perl
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-27T18:04:00.329Z

Reserved: 2026-05-12T08:15:41.456Z

Link: CVE-2026-8376

cve-icon Vulnrichment

Updated: 2026-05-27T18:03:57.288Z

cve-icon NVD

Status : Modified

Published: 2026-05-26T00:16:57.150

Modified: 2026-06-17T11:03:51.843

Link: CVE-2026-8376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T22:30:35Z

Weaknesses
  • CWE-680

    Integer Overflow to Buffer Overflow