Heap Buffer Overflow in Perl Affects 32-bit Builds
CVE-2026-8376

7.3HIGH

Key Information:

Vendor

Shay

Status
Vendor
CVE Published:
25 May 2026

What is CVE-2026-8376?

A heap buffer overflow vulnerability exists in Perl versions through 5.43.10 when compiling regular expressions with a repeated fixed string on 32-bit builds. The flaw lies in the Perl_study_chunk function within regcomp_study.c, where it incorrectly checks the size of the joined substring buffer in characters instead of bytes. This oversight can lead to an undersized allocation, allowing an attacker to craft a malicious regular expression that triggers a heap buffer overflow during compilation. Such exploitation can compromise the stability and security of applications using the vulnerable version of Perl.

Affected Version(s)

perl 0 <= 5.43.10

References

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.