HTML::Entities versions before 3.84 for Perl read freed heap memory in decodeentities.
The XS routine backing HTML::Entities::decodeentities cached a pointer (repl) into the entity-value SV returned by hvfetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to growgap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.
The read may disclose adjacent heap contents into the destination SV.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8829.json",
"cna_assigner": "CPANSec",
"cwe_ids": [
"CWE-416"
]
}{
"source": [
"CPE_RANGE",
"REFERENCES"
],
"cpe": "cpe:2.3:a:oalders:html\\:\\:entities:*:*:*:*:*:perl:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "3.84"
}
]
}