CVE-2026-4176
Zlib Vulnerabilities in Perl Compress::Raw::Zlib Module
Publication date: 2026-03-29
Last updated on: 2026-04-22
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | perl | From 5.41.0 (inc) to 5.42.2 (exc) |
| perl | perl | From 5.43.0 (inc) to 5.43.9 (exc) |
| perl | perl | From 5.9.4 (inc) to 5.40.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability affects certain versions of Perl that include a vulnerable version of the Compress::Raw::Zlib module. Because Compress::Raw::Zlib contains a vendored version of zlib with known vulnerabilities, it may expose systems using these Perl versions to security risks associated with those underlying zlib vulnerabilities.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Perl to a version that includes the fixed Compress::Raw::Zlib module. Specifically, upgrade to Perl versions after 5.40.4-RC1, 5.42.2-RC1, or 5.43.9, where the bundled Compress::Raw::Zlib has been updated to version 2.221 which addresses the vulnerability.
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Perl that include a vulnerable version of the Compress::Raw::Zlib module. Compress::Raw::Zlib is a core module in Perl that uses a vendored version of the zlib compression library. The vulnerability is related to this bundled zlib version, which contains several security issues, including CVE-2026-27171. The affected Perl versions are from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, and from 5.43.0 before 5.43.9.
The vulnerability was addressed by updating the bundled Compress::Raw::Zlib module to version 2.221 in a specific Perl blead commit.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of Perl that include a vulnerable Compress::Raw::Zlib module. To detect if your system is affected, you need to check the installed Perl version and the version of the Compress::Raw::Zlib module.
You can check the Perl version by running the command:
- perl -v
If the Perl version falls within the vulnerable ranges (from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, or from 5.43.0 before 5.43.9), your system may be vulnerable.
To check the version of the Compress::Raw::Zlib module, you can run a Perl one-liner:
- perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION, "\n";'
If the module version is less than 2.222, it is vulnerable.
Mitigation involves updating Perl to a stable release 5.40.4 or 5.42.2 or later, or manually installing Compress::Raw::Zlib version 2.222 from CPAN.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about how CVE-2026-4176 affects compliance with common standards and regulations such as GDPR or HIPAA.