CVE-2026-8829
HTML::Entities Perl Module Heap Memory Read Vulnerability
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| perl | html_entities | to 3.84 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8829 is a heap-use-after-free vulnerability in the _decode_entities function of the HTML::Entities Perl module. The issue arises when the input scalar value (SV) passed to _decode_entities is the same SV stored as a self-referential value in the entity hash. In this case, a function called grow_gap() can reallocate the SV's buffer, freeing the memory that a pointer (repl) still references. This leads to reading from freed memory, which can cause unexpected behavior or data disclosure.
How can this vulnerability impact me? :
This vulnerability can lead to reading freed heap memory, which may disclose adjacent heap contents into the destination scalar value. This unintended memory disclosure could expose sensitive information stored in memory, potentially leading to data leakage or other security issues depending on the context in which the vulnerable function is used.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in the HTML::Entities Perl module versions before 3.84, specifically in the _decode_entities function when processing self-referential scalar values (SVs) in the entity hash.
Detection involves verifying if your system uses a vulnerable version of the HTML::Entities module and if the _decode_entities function is called with inputs that are self-referential SVs that could trigger the heap-use-after-free condition.
Since this is a heap-use-after-free vulnerability triggered by specific input conditions, direct network detection commands are not applicable.
To check the installed version of HTML::Entities on your system, you can run the following Perl command:
- perl -MHTML::Entities -e 'print $HTML::Entities::VERSION, "\n"'
If the version is before 3.84, your system is potentially vulnerable.
For more in-depth detection, you would need to audit or test the usage of _decode_entities with crafted inputs that simulate the self-referential SV scenario described in the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the HTML::Entities Perl module to version 3.84 or later, where the vulnerability has been fixed.
The fix involves copying the entity value into an owned buffer when the input SV aliases the hash entry SV, preventing the use-after-free condition.
If upgrading immediately is not possible, avoid processing inputs that could trigger the self-referential SV condition in _decode_entities.
Review and apply the patch from the official repository that addresses this issue, as detailed in the linked commit and pull request.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability may lead to the disclosure of adjacent heap memory contents due to a heap-use-after-free condition in the HTML::Entities::_decode_entities function.
Such unintended disclosure of memory could potentially expose sensitive data processed by the affected software.
Exposure of sensitive data can impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access or leaks.
Therefore, if the affected software is used in environments subject to these regulations, this vulnerability could pose a compliance risk until it is remediated.