CVE-2026-8376
Modified Modified - Updated After Analysis
Heap Buffer Overflow in Perl 5.43.10 on 32-bit Builds

Publication date: 2026-05-26

Last updated on: 2026-05-27

Assigner: CPANSec

Description
Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-27
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-8376
EUVD
EUVD-2026-31772
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
perl perl to 5.43.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-680 The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8376 is a heap buffer overflow vulnerability in Perl versions through 5.43.10 that affects 32-bit builds. It occurs when compiling regular expressions containing a repeated fixed string with a large minimum count. The function Perl_study_chunk in regcomp_study.c incorrectly calculates the size of the buffer in characters instead of bytes, which can cause an integer overflow in the byte length calculation. This overflow leads to an undersized memory allocation, and when the program copies data into this buffer, it writes past the allocated memory boundary, causing a heap buffer overflow.

An attacker can exploit this vulnerability by providing a specially crafted regular expression that triggers the overflow during compilation on a 32-bit Perl build.

Impact Analysis

This vulnerability can lead to memory corruption due to a heap buffer overflow when compiling malicious regular expressions on 32-bit Perl builds. The impact includes potential crashes, undefined behavior, or exploitation by attackers to execute arbitrary code or cause denial of service.

If your system or application uses Perl on a 32-bit architecture and compiles regular expressions from untrusted input, it is at risk of being exploited by attackers who can craft malicious regex patterns to trigger this overflow.

Detection Guidance

This vulnerability occurs when compiling attacker-controlled regular expressions with repeated fixed strings on 32-bit Perl builds. Detection involves identifying if your Perl environment is 32-bit and if it is compiling potentially malicious or unusually large repeated fixed string regex patterns.

Since the issue is triggered at compile time of regex patterns, you can check your Perl version and architecture with the following command:

  • perl -v # to check Perl version
  • perl -V:archname # to check if Perl is 32-bit

To detect attempts to exploit this vulnerability, monitor logs or scripts that compile or use complex regular expressions with large repeated fixed strings, especially if these regexes come from untrusted input.

No specific detection commands for the heap overflow itself are provided, but avoiding compilation of untrusted regex patterns on vulnerable Perl versions is recommended.

Mitigation Strategies

Immediate mitigation steps include avoiding the compilation of regular expressions from untrusted input on 32-bit Perl builds through version 5.43.10.

Users should upgrade Perl to a version that includes the fix merged into the blead branch or apply the upstream patch that prevents the integer overflow in the Perl_study_chunk function.

Until an upgrade or patch is applied, restrict or sanitize any input that could be used to compile repeated fixed string regular expressions with large minimum counts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8376. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart