CVE-2026-8594 - Vulnerability Details

Description

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.

Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.

A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.

Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.

Published: 2026-05-30

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability causes Text::LineFold to duplicate its entire output for every special line break encountered. This means that a single input string can be repeated many times, consuming excessive memory or CPU resources and producing incorrect results. The consequence is a potential denial of service when the module processes large or heavily segmented inputs.

Affected Systems

The module Text::LineFold, part of the NEZUMI Unicode-LineBreak distribution, is vulnerable in all releases up to and including version 2019.001. Systems relying on this module to process text containing VT, FF, or other Unicode line‑break characters are affected.

Risk and Exploitability

The defect can be triggered by supplying a crafted string with many special break characters to any component that uses Text::LineFold. An attacker could exploit this by sending such a string through user‑controlled input, causing the application to duplicate the full text and exhaust resources. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. No CVSS score is published, but the duplication can lead to significant resource exhaustion and service interruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NEZUMI

Text::LineFold

unaffected

Version	Status	Constraints
`0`	affected	≤ 2019.001

No data.

Vendor Product Confidence Versions

Nezumi

Text::linefold

100%

Version	Status	Scheme	Platform
`[0,2019.001]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Apply the patch.

OpenCVE Recommended Actions

Apply the vendor‑supplied patch from https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch and rebuild the module.
Validate or bound the length of any text before it reaches Text::LineFold to limit duplication and resource consumption.
When possible, exclude the module from processing untrusted data, or replace it with a corrected implementation that does not duplicate output.

Generated by OpenCVE AI on May 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/30/6
https://github.com/hatukanezumi/Unicode-LineBreak/pull/6
https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415
https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch

History

Sat, 30 May 2026 23:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nezumi Nezumi text::linefold
Vendors & Products		Nezumi Nezumi text::linefold

Sat, 30 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/30/6

Sat, 30 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment. A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service. Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.
Title		Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters
Weaknesses		CWE-405 CWE-407
References		https://github.com/hatukanezumi/Unicode-LineBreak/pull/6 https://metacpan.org/release/NEZUMI/Unicode-LineBreak-2019.001/source/lib/Text/LineFold.pm#L407-415 https://security.metacpan.org/patches/U/Unicode-LineBreak/2019.001/CVE-2026-8594-r1.patch

Subscriptions

Nezumi Text::linefold

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-30T15:32:30.449Z

Updated: 2026-05-30T18:23:34.015Z

Reserved: 2026-05-14T11:54:55.248Z

Link: CVE-2026-8594

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-30T16:17:05.067

Modified: 2026-05-30T19:16:14.643

Link: CVE-2026-8594

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-30T21:17:24Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object