CVE-2026-8376

NameCVE-2026-8376
DescriptionPerl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137345

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
perl (PTS)bullseye5.32.1-4+deb11u3vulnerable
bullseye (security)5.32.1-4+deb11u5vulnerable
bookworm5.36.0-7+deb12u3vulnerable
bookworm (security)5.36.0-7+deb12u2vulnerable
trixie5.40.1-6vulnerable
forky5.40.1-7vulnerable
sid5.40.1-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
perlsource(unstable)5.40.1-81137345

Notes

[trixie] - perl <no-dsa> (Minor issue; can be fixed in point release)
[bookworm] - perl <no-dsa> (Minor issue; can be fixed in point release)
[bullseye] - perl <postponed> (Minor issue; can be fixed in point release)
https://github.com/Perl/perl5/pull/24433
https://lists.security.metacpan.org/cve-announce/msg/40396161/
Search for package or bug name: Reporting problems