Cyber Posture

CVE-2026-4176

Critical

Published: 29 March 2026

Published
29 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4176 is a critical-severity an unspecified weakness vulnerability in Perl Perl. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-8 (System Component Inventory).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely identification, reporting, and correction of software flaws such as the vulnerable Compress::Raw::Zlib bundled in affected Perl versions.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables regular vulnerability scanning to identify systems running Perl versions affected by CVE-2026-4176.

CM-8 System Component Inventory partial match
detect

Maintains an inventory of system components to identify and track Perl installations vulnerable to CVE-2026-4176.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploitation of the vulnerable zlib in Perl's Compress::Raw::Zlib module directly enables initial access via T1190 against public-facing Perl applications or services that process attacker-supplied compressed data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a…

more

vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Deeper analysisAI

CVE-2026-4176 affects Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, and from 5.43.0 before 5.43.9. The vulnerability stems from a vulnerable version of the Compress::Raw::Zlib module, which is bundled as a dual-life core module in the Perl package. This module vendors a version of zlib containing multiple vulnerabilities, including CVE-2026-3381 and CVE-2026-27171. The issue was addressed by updating Compress::Raw::Zlib to version 2.221 in Perl's blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94. The vulnerability has a CVSS v3.1 base score of 9.8.

Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, as indicated by the CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Advisories recommend updating to patched Perl releases such as 5.40.4, 5.42.2-RC1, or 5.43.9, which incorporate the fixed Compress::Raw::Zlib version 2.221. Relevant announcements are available via MetaCPAN security lists and release changes for Compress-Raw-Zlib 2.221, perl-5.40.4, and perl-5.42.2. The upstream fix is detailed in the Perl GitHub commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Details

CWE(s)
NVD-CWE-Other

Affected Products

perl
perl
5.9.4 — 5.40.4 · 5.41.0 — 5.42.2 · 5.43.0 — 5.43.9

References