========================================================================
CVE-2026-8376 CPAN Security Group
========================================================================
CVE ID: CVE-2026-8376
Distribution: perl
Versions: through 5.43.10
MetaCPAN: https://metacpan.org/dist/perl
VCS Repo: https://github.com/Perl/perl5
Perl versions through 5.43.10 have a heap buffer overflow when
compiling regular expressions with a repeated fixed string on 32-bit
builds
Description
-----------
Perl versions through 5.43.10 have a heap buffer overflow when
compiling regular expressions with a repeated fixed string on 32-bit
builds.
Perl_study_chunk in regcomp_study.c checked the size of the joined
substring buffer in characters rather than bytes. For a quantified
fixed substring with a large minimum count, the byte length mincount *
l could overflow SSize_t, producing an undersized SvGROW allocation;
the subsequent copy writes past the end of the buffer.
A caller that compiles an attacker-controlled regular expression on a
32-bit perl build triggers a heap buffer overflow at compile time.
Problem types
-------------
- CWE-680 Integer Overflow to Buffer Overflow
Workarounds
-----------
On 32-bit perl builds, avoid compiling regular expressions from
untrusted input until a fixed release is installed.
Solutions
---------
Upgrade to a future perl release, or apply the upstream patch.
References
----------
https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch
Timeline
--------
- 2026-04-24: Issue reported.
- 2026-05-20: Fix merged to blead.
