CVE-2026-8376 Overview
CVE-2026-8376 is a heap buffer overflow in Perl versions through 5.43.10 affecting 32-bit builds. The flaw resides in Perl_study_chunk within regcomp_study.c, where the regex compiler measures the joined substring buffer in characters instead of bytes. When a quantified fixed substring uses a large minimum count, the byte length mincount * l overflows SSize_t, leading to an undersized SvGROW allocation. The subsequent copy writes past the end of the heap buffer.
Any application compiling an attacker-controlled regular expression on a 32-bit Perl build triggers the overflow at compile time. The weakness is categorized as [CWE-680] (Integer Overflow to Buffer Overflow).
Critical Impact
Attackers who supply a crafted regular expression to a 32-bit Perl process can corrupt heap memory at compile time, enabling potential remote code execution or denial of service.
Affected Products
- Perl 5.x through 5.43.10 (32-bit builds)
- Applications embedding 32-bit perl that compile untrusted regular expressions
- Web applications, CGI scripts, and tooling running on 32-bit Perl interpreters
Discovery Timeline
- 2026-05-26 - CVE-2026-8376 published to NVD
- 2026-05-26 - Public disclosure on the OpenWall OSS Security mailing list
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8376
Vulnerability Analysis
The vulnerability lives in Perl's regex study optimization phase. Perl_study_chunk joins quantified fixed substrings to optimize pattern matching. The original code computed the required buffer size using character counts, then multiplied mincount by the per-character length l without checking for integer overflow on 32-bit SSize_t.
For patterns such as /\x{10000}{1073741824}/, the product mincount * l exceeds SSize_t_MAX on a 32-bit build. The truncated result is passed to SvGROW, which allocates a buffer far smaller than the actual data that follows. The subsequent string copy then writes well past the allocation boundary, corrupting adjacent heap structures.
Root Cause
The root cause is an integer overflow that is later promoted to a heap buffer overflow [CWE-680]. The size calculation in regcomp_study.c used character-based arithmetic rather than byte-based arithmetic, and lacked bounds checks against SSize_t_MAX before computing the allocation size.
Attack Vector
Exploitation requires the attacker to control a regular expression compiled by a 32-bit Perl interpreter. This pattern is common in CGI handlers, log parsers, web frameworks, and any tooling that accepts user-supplied regex input. The flaw triggers at regex compile time, so the attacker does not need the pattern to match anything.
(U8 *) SvEND(data->last_found))
- (U8*)s;
l -= old;
+
+ if (l > 0 &&
+ (mincount >= SSize_t_MAX / (SSize_t)l
+ || old > SSize_t_MAX - mincount * (SSize_t)l)) {
+ FAIL("Regexp out of space");
+ }
+
/* Get the added string: */
last_str = newSVpvn_utf8(s + old, l, UTF);
last_chrs = UTF ? utf8_length((U8*)(s + old),
Source: Perl5 commit 5e7f119eb2bb. The patch adds explicit overflow checks against SSize_t_MAX before the allocation and fails the regex compilation with Regexp out of space when the size would wrap.
Detection Methods for CVE-2026-8376
Indicators of Compromise
- Perl interpreter crashes or segmentation faults during regex compilation on 32-bit hosts
- Error messages referencing Regexp out of space after applying the patch, indicating attempted exploitation
- Anomalous regex patterns containing very large quantifier counts such as {1073741824} in inbound request data or logs
Detection Strategies
- Inventory all Perl installations across the environment and identify 32-bit builds using perl -V:ptrsize where ptrsize=4 indicates a vulnerable target architecture
- Inspect web server, CGI, and application logs for user-supplied regular expressions containing large repetition counts or unusual Unicode codepoint sequences
- Correlate Perl process crash events with preceding HTTP requests or input that contained regex-like payloads
Monitoring Recommendations
- Enable core dump collection on hosts running 32-bit Perl to capture exploitation attempts for forensic analysis
- Monitor for unexpected child process termination of perl, httpd, or other interpreters embedding Perl
- Alert on application error logs containing Regexp out of space or heap corruption signatures from glibc such as malloc(): corrupted messages
How to Mitigate CVE-2026-8376
Immediate Actions Required
- Apply the upstream Perl patch from commit 5e7f119eb2bb1181be908701f22bf7068e722f1c or upgrade to a Perl release that includes the fix
- Audit all code paths that compile regular expressions from untrusted sources and add input validation for quantifier ranges
- Where feasible, migrate 32-bit Perl deployments to 64-bit builds, which are not affected by the integer overflow
Patch Information
The fix is committed upstream in the Perl5 repository. See the Perl5 security patch for the change to regcomp_study.c. The patch validates that mincount * l cannot overflow SSize_t_MAX before allocation and emits a Regexp out of space compile-time error when the bound would be exceeded. Distributors including the OpenWall community have tracked the issue via the OpenWall OSS Security advisory.
Workarounds
- Restrict user-supplied regular expression input by rejecting patterns containing large quantifier values before passing them to qr// or m//
- Run Perl workloads on 64-bit operating systems and interpreters until patched packages are deployed
- Sandbox CGI and web handlers that compile dynamic regexes using process isolation or resource limits to contain heap corruption
# Verify Perl pointer size and version on each host
perl -V:ptrsize -V:version
# Example regex input filter applied before compilation
perl -e 'my $re = $ARGV[0];
die "rejected: quantifier too large\n"
if $re =~ /\{\s*(\d{6,})\s*\}/;
qr/$re/;' "$USER_REGEX"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
