CVE-2026-8376

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds

Published: 5/25/2026 Last updated: 5/27/2026 Reserved: 5/12/2026

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CNA assigner: CPANSec (9b29abf9-4ab0-4765-b253-1875cd9b441e) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.3	High	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Opam packages affected (3)

bap-std conf-perl goblint-cil

Products affected (2)

Product	Vendor	Version
perl	SHAY	10 Version 1809 for 32-bit Systems
perl	SHAY	2019 for 32-bit editions

CVE-2026-8376

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds

Metrics

Opam packages affected (3)

Products affected (2)

References (4)