Cyber Resilience

CVE-2026-8376

Critical

Published: 26 May 2026

Published
26 May 2026
Modified
27 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-8376 is a critical-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Perl Perl. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified…

more

fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow during attacker-controlled regex compilation enables client-side code execution via crafted input to the Perl interpreter.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4176Same product: Perl Perl
CVE-2025-52930Shared CWE-680
CVE-2025-32468Shared CWE-680
CVE-2025-46407Shared CWE-680
CVE-2025-52456Shared CWE-680
CVE-2025-54952Shared CWE-680
CVE-2025-53510Shared CWE-680
CVE-2026-25541Shared CWE-680
CVE-2024-57956Shared CWE-680
CVE-2024-56451Shared CWE-680

Affected Assets

perl
perl
≤ 5.43.10

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References