CVE-2026-8376
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | perl | to 5.43.10 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-680 | The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-8376 is a heap buffer overflow vulnerability in Perl versions through 5.43.10 that affects 32-bit builds. It occurs when compiling regular expressions containing a repeated fixed string with a large minimum count. The function Perl_study_chunk in regcomp_study.c incorrectly calculates the size of the buffer in characters instead of bytes, which can cause an integer overflow in the byte length calculation. This overflow leads to an undersized memory allocation, and when the program copies data into this buffer, it writes past the allocated memory boundary, causing a heap buffer overflow.
An attacker can exploit this vulnerability by providing a specially crafted regular expression that triggers the overflow during compilation on a 32-bit Perl build.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to a heap buffer overflow when compiling malicious regular expressions on 32-bit Perl builds. The impact includes potential crashes, undefined behavior, or exploitation by attackers to execute arbitrary code or cause denial of service.
If your system or application uses Perl on a 32-bit architecture and compiles regular expressions from untrusted input, it is at risk of being exploited by attackers who can craft malicious regex patterns to trigger this overflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when compiling attacker-controlled regular expressions with repeated fixed strings on 32-bit Perl builds. Detection involves identifying if your Perl environment is 32-bit and if it is compiling potentially malicious or unusually large repeated fixed string regex patterns.
Since the issue is triggered at compile time of regex patterns, you can check your Perl version and architecture with the following command:
- perl -v # to check Perl version
- perl -V:archname # to check if Perl is 32-bit
To detect attempts to exploit this vulnerability, monitor logs or scripts that compile or use complex regular expressions with large repeated fixed strings, especially if these regexes come from untrusted input.
No specific detection commands for the heap overflow itself are provided, but avoiding compilation of untrusted regex patterns on vulnerable Perl versions is recommended.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the compilation of regular expressions from untrusted input on 32-bit Perl builds through version 5.43.10.
Users should upgrade Perl to a version that includes the fix merged into the blead branch or apply the upstream patch that prevents the integer overflow in the Perl_study_chunk function.
Until an upgrade or patch is applied, restrict or sanitize any input that could be used to compile repeated fixed string regular expressions with large minimum counts.