VYPR
← All advisories
Unrated severityNVD Advisory· Published May 30, 2026

CVE-2026-8594

CVE-2026-8594

Description

Text::LineFold versions through 2019.001 for Perl duplicate the output based on the number of special break characters.

Text::LineFold splits the input string by specific line break characters (such as VT, FF and others) into segments, but applies the break function to the entire string, not just the segment.

A side effect of this is that the full input can be duplicated for each segment. Besides being incorrect, this can lead to unexpected resource consumption and possible denial of service.

Note that Text::LineFold is part of the Unicode-LineBreak distribution, which may have a higher version number than the module.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Text::LineFold for Perl incorrectly duplicates output per break character, enabling resource exhaustion and denial of service.

Vulnerability

Text::LineFold versions through 2019.001 for Perl, part of the Unicode-LineBreak distribution, contain a logic flaw in the fold function. When splitting input on special line break characters such as VT or FF, the function applies the break operation to the entire input string for each segment, rather than only to the individual segment. This causes the full input to be duplicated in the output for every break character present. Affected versions include Unicode-LineBreak 2019.001 and earlier, with the module version possibly being lower than the distribution version.

Exploitation

An attacker who can provide crafted input to an application using Text::LineFold can trigger the duplication. No authentication or specific network position is required if the application exposes the fold functionality to untrusted data. By supplying a string containing multiple special break characters (e.g., VT, FF), the attacker causes exponential growth in output size relative to the number of such characters, leading to excessive CPU and memory consumption.

Impact

Successful exploitation results in a denial of service condition due to unexpected resource consumption. The bug also produces incorrect line folding output, but the primary security concern is the potential for resource exhaustion, which can degrade or crash the application or server processing the malformed input.

Mitigation

A fix has been provided in commit [1] and pull request #6 [2] for the Unicode-LineBreak repository. Users should update to a patched version; maintainers released a corrected release shortly after disclosure. If an immediate update is not possible, input validation to limit the number of special break characters can reduce risk. There is no indication this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. lib/Text/LineFold.pm - metacpan.org
  2. Fix CVE-2026-8594 by robrwo · Pull Request #6 · hatukanezumi/Unicode-LineBreak

AI Insight generated on May 30, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
7ed970fbcdac

Merge 5a91f0786816de07f22b55e3fd622b1d5646bf8f into 43dab876e68438965de871ddbecf756030d61877

https://github.com/hatukanezumi/unicode-linebreakRobert RothenbergMay 30, 2026via nvd-ref
commitPR #6
1 file changed · +1 1
  • lib/Text/LineFold.pm+1 1 modified
    @@ -410,7 +410,7 @@ sub fold {
         if ($s =~ $special_break) {
             $result .= $s;
         } else {
-            $result .= $self->break($str);
+            $result .= $self->break($s);
         }
     }

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

3

News mentions

0

No linked articles in our index yet.