VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-8376

CVE-2026-8376

Description

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Perl 5.43.10 and earlier on 32-bit builds have a heap buffer overflow when compiling regexes with repeated fixed strings, due to an integer overflow in buffer size calculation.

Vulnerability

Perl versions through 5.43.10 on 32-bit builds contain a heap buffer overflow in the regular expression compiler, specifically in Perl_study_chunk in regcomp_study.c. The function incorrectly checks the size of a joined substring buffer in characters instead of bytes. When a quantified fixed substring with a large minimum count is compiled, the byte length calculation mincount * l overflows SSize_t, resulting in an undersized SvGROW allocation. A subsequent buffer copy writes past the allocated memory, causing a heap overflow. This affects all 32-bit Perl builds up to and including version 5.43.10 [1].

Exploitation

An attacker who can supply a carefully crafted regular expression to a 32-bit Perl build can trigger the overflow at compile time, without requiring authentication. The exploit requires no user interaction beyond the compilation of the malicious regex. For example, a regex such as /\x{10000}{1073741824}/ causes mincount * l to overflow, leading to an undersized buffer and a heap buffer overflow [1].

Impact

Successful exploitation results in a heap buffer overflow, which can corrupt memory. This may lead to denial of service (crash) or, depending on heap layout, potential arbitrary code execution. The overflow occurs at compile time, before any regex matching is performed [1].

Mitigation

The issue is fixed in commit 5e7f119eb2bb1181be908701f22bf7068e722f1c to the Perl source repository, which adds an overflow check and causes compilation to fail with a "Regexp out of space" error [2]. As of the publication date (May 26, 2026), this fix has not yet been included in a stable Perl release. Users on 32-bit builds are advised to avoid compiling untrusted regular expressions or to use 64-bit builds where the overflow does not occur.

References
  1. security - CVE-2026-8376: Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds
  2. https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
952b7178ad20

perldelta for CVE-2026-8376

https://github.com/Perl/perl5Tony CookMay 20, 2026via github-commit-search
commit
1 file changed · +6 1
  • pod/perldelta.pod+6 1 modified
    @@ -33,7 +33,12 @@ XXX Any security-related notices go here. In particular, any security
 vulnerabilities closed should be noted here rather than in the
 L</Selected Bug Fixes> section.
 
-[ List each security issue as a =head2 entry ]
+=head2 CVE-2026-8376 - Buffer overflow in Perl_study_chunk
+
+Repeated fixed string buffer overflow check counted characters not
+bytes.
+
+CVE-2026-8376
 
 =head1 Incompatible Changes
5e7f119eb2bb

perl/perl-security#147: test against the actual character lengths

https://github.com/Perl/perl5Tony CookMay 12, 2026via body-scan
commit
2 files changed · +7 1
  • regcomp_study.c+7 0 modified
    @@ -2784,6 +2784,13 @@ Perl_study_chunk(pTHX_
                                                (U8 *) SvEND(data->last_found))
                                 - (U8*)s;
                         l -= old;
+
+                        if (l > 0 &&
+                            (mincount >= SSize_t_MAX / (SSize_t)l
+                             || old > SSize_t_MAX - mincount * (SSize_t)l)) {
+                            FAIL("Regexp out of space");
+                        }
+
                         /* Get the added string: */
                         last_str = newSVpvn_utf8(s  + old, l, UTF);
                         last_chrs = UTF ? utf8_length((U8*)(s + old),
  • t/re/pat_psycho.t+0 1 modified
    @@ -218,7 +218,6 @@ EOF
     { # sec #147
         $Config{ptrsize} == 4
           or skip "these only fail on x32 and use too much memory on x64", 2;
-        local $::TODO = "This crashes";
         # original case
         fresh_perl_like('/\x{10000}{1073741824}/',
                         qr/Regexp out of space/, {}, "ssize_t overflow");

Vulnerability mechanics

Root cause

"Size check in `Perl_study_chunk` counted characters instead of bytes, allowing `SSize_t` overflow in the repeated-string length calculation."

Attack vector

An attacker supplies a crafted regular expression containing a quantified fixed substring with a large minimum count (e.g., `/\x{10000}{1073741824}/`) to a 32-bit perl build [ref_id=1]. During compilation, `Perl_study_chunk` computes the byte length of the repeated string as `mincount * l`; because the size check was done in characters rather than bytes, the multiplication can overflow `SSize_t`, producing a small allocation. The subsequent copy writes past the end of the undersized buffer, causing a heap buffer overflow at compile time [patch_id=2539786].

Affected code

The vulnerability is in `Perl_study_chunk` in `regcomp_study.c`. The code that computes the byte length of a repeated fixed substring (`mincount * l`) used a character-based size check instead of a byte-based check, leading to an undersized `SvGROW` allocation [patch_id=2539786].

What the fix does

The patch adds an overflow guard before the `SvGROW` allocation: it checks whether `mincount >= SSize_t_MAX / (SSize_t)l` or whether `old > SSize_t_MAX - mincount * (SSize_t)l` [patch_id=2539786]. If either condition is true, the regex compilation fails with `"Regexp out of space"` instead of proceeding with a truncated size. The test file `t/re/pat_psycho.t` removes the `TODO` marker so the previously-crashing case now verifies the safe failure [patch_id=2539786].

Preconditions

  • configPerl must be built for a 32-bit platform (ptrsize == 4)
  • inputAttacker must be able to supply a regular expression to the perl compiler (e.g., via a regex literal or qr//)

Reproduction

On a 32-bit perl build, run: `perl -e 'print "/\\x{10000}{1073741824}/"'`. Before the fix this crashes with a heap buffer overflow; after the fix it prints `"Regexp out of space"` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.