CVE-2026-4176
Received Received - Intake
Zlib Vulnerabilities in Perl Compress::Raw::Zlib Module

Publication date: 2026-03-29

Last updated on: 2026-04-22

Assigner: CPANSec

Description
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-29
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4176
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
perl perl From 5.41.0 (inc) to 5.42.2 (exc)
perl perl From 5.43.0 (inc) to 5.43.9 (exc)
perl perl From 5.9.4 (inc) to 5.40.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability affects certain versions of Perl that include a vulnerable version of the Compress::Raw::Zlib module. Because Compress::Raw::Zlib contains a vendored version of zlib with known vulnerabilities, it may expose systems using these Perl versions to security risks associated with those underlying zlib vulnerabilities.

Mitigation Strategies

To mitigate this vulnerability, update Perl to a version that includes the fixed Compress::Raw::Zlib module. Specifically, upgrade to Perl versions after 5.40.4-RC1, 5.42.2-RC1, or 5.43.9, where the bundled Compress::Raw::Zlib has been updated to version 2.221 which addresses the vulnerability.

Executive Summary

This vulnerability affects certain versions of Perl that include a vulnerable version of the Compress::Raw::Zlib module. Compress::Raw::Zlib is a core module in Perl that uses a vendored version of the zlib compression library. The vulnerability is related to this bundled zlib version, which contains several security issues, including CVE-2026-27171. The affected Perl versions are from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, and from 5.43.0 before 5.43.9.

The vulnerability was addressed by updating the bundled Compress::Raw::Zlib module to version 2.221 in a specific Perl blead commit.

Detection Guidance

This vulnerability affects specific versions of Perl that include a vulnerable Compress::Raw::Zlib module. To detect if your system is affected, you need to check the installed Perl version and the version of the Compress::Raw::Zlib module.

You can check the Perl version by running the command:

  • perl -v

If the Perl version falls within the vulnerable ranges (from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, or from 5.43.0 before 5.43.9), your system may be vulnerable.

To check the version of the Compress::Raw::Zlib module, you can run a Perl one-liner:

  • perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION, "\n";'

If the module version is less than 2.222, it is vulnerable.

Mitigation involves updating Perl to a stable release 5.40.4 or 5.42.2 or later, or manually installing Compress::Raw::Zlib version 2.222 from CPAN.

Compliance Impact

The provided information does not include any details about how CVE-2026-4176 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart