PatchSiren cyber security CVE debrief
CVE-2026-14741 OALDERS CVE debrief
A vulnerability in HTTP::Date versions before 6.08 for Perl allows CPU exhaustion via polynomial regex backtracking in parse_date. The parse_date() function matches date strings against alternative regexes, leading to potential denial of service via unbounded CPU consumption. This vulnerability can be triggered by specially crafted date strings in HTTP headers, which can originate from untrusted sources. The vulnerability has a high defensive priority, and users of HTTP::Date versions before 6.08 for Perl should be aware of this vulnerability and take steps to mitigate potential denial of service attacks.
- Vendor
- OALDERS
- Product
- HTTP::Date
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of HTTP::Date versions before 6.08 for Perl should be aware of this vulnerability and take steps to mitigate potential denial of service attacks. This includes validating and sanitizing date headers from untrusted sources, implementing rate limiting or timeouts for date parsing operations, and monitoring CPU usage and system performance for anomalies. Additionally, operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability and should review the official CVE record and vendor guidance.
Technical summary
The HTTP::Date module for Perl, versions before 6.08, is vulnerable to CPU exhaustion due to polynomial regex backtracking in the parse_date function. This function is used to parse timestamps from HTTP headers, which can originate from untrusted sources. A specially crafted date string can cause the regex engine to backtrack excessively, leading to significant CPU consumption and potential denial of service. The vulnerability can be mitigated by updating to version 6.08 or later, validating and sanitizing date headers, and implementing rate limiting or timeouts for date parsing operations.
Defensive priority
High
Recommended defensive actions
- Update HTTP::Date to version 6.08 or later
- Validate and sanitize date headers from untrusted sources
- Implement rate limiting or timeouts for date parsing operations
- Monitor CPU usage and system performance for anomalies
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T16:17:13.443Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official CVE record. The HTTP::Date module for Perl, versions before 6.08, is vulnerable to CPU exhaustion due to polynomial regex backtracking in the parse_date function.
Official resources
-
CVE-2026-14741 CVE record
CVE.org
-
CVE-2026-14741 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.443Z and has not been modified since then. The NVD entry is currently Deferred.