CRITICAL🇵🇱 Wersja polska

CVE-2026-4176

CVSS 9.8v3.1pub. 2026-03-29upd. 2026-04-22

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

🤖 AI Analysis
How it works

The Compress::Raw::Zlib module is delivered as a built-in core module (dual-life core module) in the Perl package and contains its own bundled copy of the zlib library. This bundled version of zlib is vulnerable to CVE-2026-3381 and CVE-2026-27171, which encompass a number of security flaws. The fix consists of updating the built-in Compress::Raw::Zlib module to version 2.221.

Impact

A remote attacker, without requiring authentication, can compromise the confidentiality, integrity, and availability of the system — potentially gaining full control over the vulnerable application or system.

Mitigation & patch

Perl should be updated to version 5.40.4-RC1 or later (stable branch), 5.42.2-RC1 or later, or 5.43.9 or later (developer branch). Alternatively, manual update of the Compress::Raw::Zlib module to version 2.221 (commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94) is possible. Details are available in the vendor references.

Who is affected

Perl in versions from 5.9.4 to (excluding) 5.40.4-RC1, from 5.41.0 to (excluding) 5.42.2-RC1, and from 5.43.0 to (excluding) 5.43.9

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Perl

    APP
    Perl
    5.9.4 – 5.40.4 (bez)5.41.0 – 5.42.2 (bez)5.43.0 – 5.43.9 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-8376CRITICAL9.8PL ✓ten sam produkt

Heap buffer overflow w Perl przy kompilacji wyrażeń regularnych (32-bit)

CVE-2022-48522CRITICAL9.8ten sam produkt

In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execut...

CVE-2018-18311CRITICAL9.8ten sam produkt

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that trigge...

CVE-2018-18314CRITICAL9.8ten sam produkt

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operatio...

CVE-2018-18313CRITICAL9.1ten sam produkt

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensiti...