CVE-2026-7040: Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters

CVE-2026-7040: Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters Robert Rothenberg 27 Apr 2026 12:31 UTC

========================================================================
CVE-2026-7040                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-7040
   Distribution:  Text-Minify-XS
       Versions:  from v0.3.0 before v0.7.8

       MetaCPAN:  https://metacpan.org/dist/Text-Minify-XS
       VCS Repo:  https://github.com/robrwo/Text-Minify-XS

Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have heap
overflow when processing some malformed UTF-8 characters

Description
-----------
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a
heap overflow when processing some malformed UTF-8 characters.

The minify functions mishandled some malformed UTF-8 characters,
leading to heap corruption.

Note that the minify_utf8 function is an alias for minnify.

Problem types
-------------
- CWE-176 Improper Handling of Unicode Encoding
- CWE-122 Heap-based Buffer Overflow

Workarounds
-----------
Validate that all strings passed to the minify and minify_utf8
functions.

Solutions
---------
Upgrade to v0.7.8 or later.

References
----------
https://github.com/robrwo/Text-Minify-XS/security/advisories/GHSA-jqhf-vv4h-77h2
https://metacpan.org/release/RRWO/Text-Minify-XS-v0.7.8/changes

Timeline
--------
- 2026-04-23: This issue was identified by CPANSec
- 2025-04-25: Fix uploaded to CPAN