PatchSiren cyber security CVE debrief
CVE-2026-8376 SHAY CVE debrief
A heap buffer overflow vulnerability exists in Perl versions through 5.43.10 when compiling regular expressions containing a repeated fixed string on 32-bit builds. The flaw resides in `Perl_study_chunk` within `regcomp_study.c`, where the size of the joined substring buffer was checked in characters rather than bytes. For quantified fixed substrings with large minimum counts, the byte length calculation (`mincount * l`) can overflow `SSize_t`, resulting in an undersized `SvGROW` allocation. The subsequent copy operation then writes past the end of the buffer. An attacker who can supply a malicious regular expression to a 32-bit Perl build can trigger this heap buffer overflow at compile time.
- Vendor
- SHAY
- Product
- perl
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-27
Who should care
Organizations running 32-bit Perl builds, especially those processing untrusted regular expressions; developers of Perl-based web applications and security tools; system administrators maintaining legacy 32-bit infrastructure.
Technical summary
The vulnerability stems from an integer overflow when calculating buffer sizes for repeated fixed strings in Perl regular expression compilation. On 32-bit systems, `SSize_t` is typically 32 bits, making overflow more likely when `mincount * l` exceeds 2^31-1. The fix involves checking buffer sizes in bytes rather than characters to prevent undersized allocations.
Defensive priority
high
Recommended defensive actions
- Upgrade Perl to a version containing the fix (commit 5e7f119eb2bb1181be908701f22bf7068e722f1c or later)
- If running 32-bit Perl builds, prioritize patching due to compile-time exploitability
- Restrict ability for untrusted users to supply arbitrary regular expressions to Perl applications
- Monitor for updated NVD analysis and CVSS scoring as the entry is currently 'Undergoing Analysis'
Evidence notes
The vulnerability was disclosed on 2026-05-26 with NVD status 'Undergoing Analysis'. The issue affects 32-bit Perl builds specifically. A patch commit is available addressing the integer overflow in buffer size calculation.
Official resources
-
CVE-2026-8376 CVE record
CVE.org
-
CVE-2026-8376 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
2026-05-26