CVE-2026-8376 - Vulnerability Details

Description

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

Published: 2026-05-25

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Perl releases through 5.43.10 contain a heap buffer overflow that occurs when compiling regular expressions which include a repeated fixed string on 32‑bit builds. The bug arises because Perl's regex compiler calculates the required buffer size in characters, not bytes, for a quantified fixed substring with a large minimum count. Multiplying this minimum count by the substring length can overflow the signed size type, causing an undersized allocation and a subsequent memory overwrite during the compilation of the expression. An attacker who can supply a regular expression to a Perl program running on a 32‑bit build can trigger this overflow during compile time, potentially leading to arbitrary code execution or program termination.

Affected Systems

The vulnerability affects all 32‑bit builds of Perl versions up to and including 5.43.10, as documented by the Perl community and noted by the SECL team. Systems running newer 64‑bit builds or later Perl releases are not affected.

Risk and Exploitability

The EPSS metric is not available for this entry, and the vulnerability is not listed in CISA's KEV catalog, which limits public data on how frequently it is exploited. However, buffer overflows of this nature are historically classified as high‑severity, and the fact that the overflow occurs during regex compilation gives an attacker a relatively low barrier to exploitation when untrusted input is processed. Consequently, any application that compiles user‑supplied regular expressions on a 32‑bit Perl installation is at high risk of code execution or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SHAY

perl

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.43.10

No data.

Vendor Product Confidence Versions

Shay

Perl

100%

Version	Status	Scheme	Platform
`[0,5.43.10]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to a future perl release, or apply the upstream patch.

Vendor Workaround

On 32-bit perl builds, avoid compiling regular expressions from untrusted input until a fixed release is installed.

OpenCVE Recommended Actions

Upgrade Perl to version 5.43.11 or later, or apply the upstream patch provided at the referenced commit link.
If an upgrade cannot be performed immediately, do not compile any user‑supplied regular expressions on 32‑bit Perl installations until the patch or an updated release is applied.
Perform input validation to ensure that quantifier values for fixed substrings are not excessively large, thereby preventing the size calculation from exceeding the available address space.

Generated by OpenCVE AI on May 26, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/26/1
https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch

History

Tue, 26 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/26/1

Tue, 26 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shay Shay perl
Vendors & Products		Shay Shay perl

Tue, 26 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Title		Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds
Weaknesses		CWE-680
References		https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch

Subscriptions

Shay Perl

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-25T23:53:27.812Z

Updated: 2026-05-26T03:06:00.816Z

Reserved: 2026-05-12T08:15:41.456Z

Link: CVE-2026-8376

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T00:16:57.150

Modified: 2026-05-26T04:16:27.237

Link: CVE-2026-8376

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T03:00:13Z

Weaknesses

CWE-680

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object