Description
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.

The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.

The read may disclose adjacent heap contents into the destination SV.
Published: 2026-06-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HTML::Entities versions prior to 3.84 contain a use‑after‑free bug in the _decode_entities routine. The routine caches a pointer into a string that may be freed later, so that a subsequent copy operation reads data from a reclaimed heap region. This flaw can lead to disclosure of adjacent heap contents when copying from the freed buffer, potentially exposing sensitive data. The weakness is a classic use‑after‑free issue as classified by CWE‑416.

Affected Systems

The vulnerability impacts the HTML::Entities Perl module, distributed by OALDERS. All released versions before 3.84 are affected. Systems that load this library, such as Perl applications that parse or render user‑supplied HTML using HTML::Entities, are at risk unless they have upgraded to version 3.84 or later.

Risk and Exploitability

The flaw permits arbitrary read of freed memory. The CVSS score of 7.5 indicates high severity. The EPSS score is 0.00017, indicating a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The exploit requires local execution of code that uses the vulnerable library; an attacker would need to supply crafted entity references that trigger the freed memory copy path. Thus the attack surface is limited to environments where untrusted input can be processed by the module.

Generated by OpenCVE AI on June 4, 2026 at 15:25 UTC.

Remediation

Vendor Solution

Upgrade to HTML-Parser 3.84 or later.

OpenCVE Recommended Actions

  • Upgrade to HTML-Parser 3.84 or later, which contains the fix for the use‑after‑free issue.
  • Implement strict input validation to prevent entity references that map an entity key to its own value, thereby blocking the reallocated buffer read path.
  • If an immediate upgrade is not feasible, limit the usage of HTML::Entities to trusted input sources only, and consider isolating the parsing logic in a sandboxed environment to contain potential memory disclosure.

Generated by OpenCVE AI on June 4, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Oalders html\
CPEs cpe:2.3:a:oalders:html\:\:entities:*:*:*:*:*:perl:*:*
Vendors & Products Oalders html\

Fri, 05 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Oalders
Oalders html::entities
Vendors & Products Oalders
Oalders html::entities

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.
Title HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities
Weaknesses CWE-416
References

Subscriptions

Oalders Html::entities Html\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-04T12:59:07.698Z

Reserved: 2026-05-18T13:24:05.252Z

Link: CVE-2026-8829

cve-icon Vulnrichment

Updated: 2026-06-04T05:36:41.267Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T03:16:20.260

Modified: 2026-06-08T16:29:43.980

Link: CVE-2026-8829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:09:22Z

Weaknesses