Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.
Perlstudychunk in regcompstudy.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSizet, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.
A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
{
"cwe_ids": [
"CWE-680"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8376.json",
"cna_assigner": "CPANSec"
}{
"cpe": "cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "5.43.10"
}
],
"source": [
"CPE_RANGE",
"REFERENCES"
]
}[
{
"source": "https://github.com/perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c",
"signature_version": "v1",
"signature_type": "Line",
"digest": {
"line_hashes": [
"9044274273817096257826340016907433463",
"10824497922658380334050930273948771395",
"22606885329989943457972533494694044144",
"245540066980495066395013891761984069220"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2026-8376-595191c9",
"target": {
"file": "regcomp_study.c"
}
},
{
"source": "https://github.com/perl/perl5/commit/5e7f119eb2bb1181be908701f22bf7068e722f1c",
"signature_version": "v1",
"signature_type": "Function",
"digest": {
"function_hash": "108310289957967335225355739344715828892",
"length": 42758.0
},
"deprecated": false,
"id": "CVE-2026-8376-642f39d4",
"target": {
"function": "Perl_study_chunk",
"file": "regcomp_study.c"
}
}
]
"2026-07-17T00:53:32Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8376.json"