========================================================================
CVE-2026-8376                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8376
   Distribution:  perl
       Versions:  through 5.43.10

       MetaCPAN:  https://metacpan.org/dist/perl
       VCS Repo:  https://github.com/Perl/perl5

Perl versions through 5.43.10 have a heap buffer overflow when
compiling regular expressions with a repeated fixed string on 32-bit
builds

Description
-----------
Perl versions through 5.43.10 have a heap buffer overflow when
compiling regular expressions with a repeated fixed string on 32-bit
builds.

Perl_study_chunk in regcomp_study.c checked the size of the joined
substring buffer in characters rather than bytes. For a quantified
fixed substring with a large minimum count, the byte length mincount *
l could overflow SSize_t, producing an undersized SvGROW allocation;
the subsequent copy writes past the end of the buffer.

A caller that compiles an attacker-controlled regular expression on a
32-bit perl build triggers a heap buffer overflow at compile time.

Problem types
-------------
- CWE-680 Integer Overflow to Buffer Overflow

Workarounds
-----------
On 32-bit perl builds, avoid compiling regular expressions from
untrusted input until a fixed release is installed.

Solutions
---------
Upgrade to a future perl release, or apply the upstream patch.

References
----------
https://github.com/Perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c.patch

Timeline
--------
- 2026-04-24: Issue reported.
- 2026-05-20: Fix merged to blead.