CVE-2026-4176

NameCVE-2026-4176
DescriptionPerl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perl (PTS)bullseye5.32.1-4+deb11u3fixed
bullseye (security)5.32.1-4+deb11u4fixed
bookworm5.36.0-7+deb12u3fixed
bookworm (security)5.36.0-7+deb12u2fixed
trixie5.40.1-6fixed
forky, sid5.40.1-7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perlsource(unstable)5.10.0-21

Notes

https://lists.security.metacpan.org/cve-announce/msg/38393284/
Since perl/5.10.0-20 (in experimental) the packaging uses the system zlib library.
The CVE is assigned for the embedded use of zlib to address CVE-2026-27171.
Search for package or bug name: Reporting problems