CVE-2026-8594 NEZUMI CVE debrief

Who should care

Teams running Perl applications that process untrusted text through Text::LineFold or the Unicode-LineBreak distribution, especially services handling bulk user content or automated document pipelines.

Technical summary

Text::LineFold in Unicode-LineBreak ≤2019.001 splits input on special break characters (VT, FF, etc.) into segments, then erroneously runs the break routine against the whole input string for each segment. This causes the full input to be duplicated per segment, leading to superlinear growth in output size and potential denial of service through memory/CPU exhaustion. The issue is local in attack vector per CVSS (AV:L) and requires no privileges or user interaction.

Defensive priority

medium

Recommended defensive actions

• Upgrade Unicode-LineBreak/Text::LineFold to a fixed version when available; apply the vendor patch (CVE-2026-8594-r1) if running version 2019.001 or earlier.
• Review applications that pass untrusted or large input to Text::LineFold and consider input sanitization or length limits as a temporary control.
• Monitor the Unicode-LineBreak distribution on CPAN for an updated release that resolves the incorrect segment handling.

Evidence notes

The NVD record (modified 2026-06-01) lists CVSS 6.2 (MEDIUM) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and weaknesses CWE-405 (Asymmetric Resource Consumption) and CWE-407 (Inefficient Algorithmic Complexity). The oss-security mailing list post (2026-05-30) and a GitHub pull request are cited as references. A patch is available via security.metacpan.org.

Official resources