CVE-2026-8594
Deferred Deferred - Pending Action
Text::LineFold Perl Module Line Break Handling Denial of Service

Publication date: 2026-05-30

Last updated on: 2026-06-01

Assigner: CPANSec

Description
Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters. Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment. A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service. Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-30
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-30
EPSS Evaluated
2026-06-18
NVD
CVE-2026-8594
EUVD
EUVD-2026-33466
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unicode linebreak 2019.001
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-405 The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Text::LineFold versions through 2019.001 for Perl involves the module duplicating the output based on the number of special break characters in the input string.

Text::LineFold splits the input string by specific line break characters (such as VT, FF, and others) into segments, but incorrectly applies the break function to the entire string instead of just the individual segment.

This causes the full input to be duplicated for each segment, which is incorrect behavior and can lead to unexpected resource consumption.

Impact Analysis

The main impact of this vulnerability is that it can cause unexpected resource consumption due to the duplication of the entire input string for each segment.

This excessive resource usage can potentially lead to a denial of service (DoS) condition, where the system or application becomes unresponsive or crashes because of the overload.

Detection Guidance

This vulnerability occurs in the Text::LineFold Perl module versions through 2019.001, where the fold function duplicates the entire input string for each segment separated by special break characters. Detection involves identifying if your system uses this vulnerable version of the module.

To detect the vulnerability on your system, you can check the installed version of the Unicode-LineBreak distribution or the Text::LineFold module.

  • Run the command `perl -MText::LineFold -e 'print $Text::LineFold::VERSION'` to check the installed version of Text::LineFold.
  • Alternatively, check the Unicode-LineBreak distribution version with your package manager or by inspecting the module files.

If the version is 2019.001 or earlier, your system is vulnerable to this issue.

Mitigation Strategies

The immediate mitigation step is to update the Text::LineFold module to a version that includes the fix for CVE-2026-8594.

The vulnerability was fixed by correcting the fold function to properly handle string segments without duplicating the entire input.

  • Update the Unicode-LineBreak distribution to a version later than 2019.001 that contains the fix.
  • Apply the patch from the official repository or source if an update is not immediately available.

Avoid using the vulnerable version in production environments until the fix is applied to prevent potential denial of service due to resource exhaustion.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart