CVE-2026-8829
Analyzed Analyzed - Analysis Complete
HTML::Entities Perl Module Heap Memory Read Vulnerability

Publication date: 2026-06-04

Last updated on: 2026-06-08

Assigner: CPANSec

Description
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-04
Last Modified
2026-06-08
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-23
NVD
CVE-2026-8829
EUVD
EUVD-2026-34194
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oalders html to 3.84 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8829 is a heap-use-after-free vulnerability in the _decode_entities function of the HTML::Entities Perl module. The issue arises when the input scalar value (SV) passed to _decode_entities is the same SV stored as a self-referential value in the entity hash. In this case, a function called grow_gap() can reallocate the SV's buffer, freeing the memory that a pointer (repl) still references. This leads to reading from freed memory, which can cause unexpected behavior or data disclosure.

Impact Analysis

This vulnerability can lead to reading freed heap memory, which may disclose adjacent heap contents into the destination scalar value. This unintended memory disclosure could expose sensitive information stored in memory, potentially leading to data leakage or other security issues depending on the context in which the vulnerable function is used.

Detection Guidance

This vulnerability occurs in the HTML::Entities Perl module versions before 3.84, specifically in the _decode_entities function when processing self-referential scalar values (SVs) in the entity hash.

Detection involves verifying if your system uses a vulnerable version of the HTML::Entities module and if the _decode_entities function is called with inputs that are self-referential SVs that could trigger the heap-use-after-free condition.

Since this is a heap-use-after-free vulnerability triggered by specific input conditions, direct network detection commands are not applicable.

To check the installed version of HTML::Entities on your system, you can run the following Perl command:

  • perl -MHTML::Entities -e 'print $HTML::Entities::VERSION, "\n"'

If the version is before 3.84, your system is potentially vulnerable.

For more in-depth detection, you would need to audit or test the usage of _decode_entities with crafted inputs that simulate the self-referential SV scenario described in the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade the HTML::Entities Perl module to version 3.84 or later, where the vulnerability has been fixed.

The fix involves copying the entity value into an owned buffer when the input SV aliases the hash entry SV, preventing the use-after-free condition.

If upgrading immediately is not possible, avoid processing inputs that could trigger the self-referential SV condition in _decode_entities.

Review and apply the patch from the official repository that addresses this issue, as detailed in the linked commit and pull request.

Compliance Impact

This vulnerability may lead to the disclosure of adjacent heap memory contents due to a heap-use-after-free condition in the HTML::Entities::_decode_entities function.

Such unintended disclosure of memory could potentially expose sensitive data processed by the affected software.

Exposure of sensitive data can impact compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and health information against unauthorized access or leaks.

Therefore, if the affected software is used in environments subject to these regulations, this vulnerability could pose a compliance risk until it is remediated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart