PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14741 OALDERS CVE debrief

A vulnerability in HTTP::Date versions before 6.08 for Perl allows CPU exhaustion via polynomial regex backtracking in parse_date. The parse_date() function matches date strings against alternative regexes, leading to potential denial of service via unbounded CPU consumption. This vulnerability can be triggered by specially crafted date strings in HTTP headers, which can originate from untrusted sources. The vulnerability has a high defensive priority, and users of HTTP::Date versions before 6.08 for Perl should be aware of this vulnerability and take steps to mitigate potential denial of service attacks.

Vendor
OALDERS
Product
HTTP::Date
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of HTTP::Date versions before 6.08 for Perl should be aware of this vulnerability and take steps to mitigate potential denial of service attacks. This includes validating and sanitizing date headers from untrusted sources, implementing rate limiting or timeouts for date parsing operations, and monitoring CPU usage and system performance for anomalies. Additionally, operators, platform administrators, vulnerability management teams, and security teams may be impacted by this vulnerability and should review the official CVE record and vendor guidance.

Technical summary

The HTTP::Date module for Perl, versions before 6.08, is vulnerable to CPU exhaustion due to polynomial regex backtracking in the parse_date function. This function is used to parse timestamps from HTTP headers, which can originate from untrusted sources. A specially crafted date string can cause the regex engine to backtrack excessively, leading to significant CPU consumption and potential denial of service. The vulnerability can be mitigated by updating to version 6.08 or later, validating and sanitizing date headers, and implementing rate limiting or timeouts for date parsing operations.

Defensive priority

High

Recommended defensive actions

  • Update HTTP::Date to version 6.08 or later
  • Validate and sanitize date headers from untrusted sources
  • Implement rate limiting or timeouts for date parsing operations
  • Monitor CPU usage and system performance for anomalies
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T16:17:13.443Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official CVE record. The HTTP::Date module for Perl, versions before 6.08, is vulnerable to CPU exhaustion due to polynomial regex backtracking in the parse_date function.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.443Z and has not been modified since then. The NVD entry is currently Deferred.