CPANSA-perl-2026-4176: perl vulnerability

Publisher giterlizzi Document category csaf_security_advisory
Initial release date 2026-03-29T00:00:00 Engine CSAF Perl Toolkit 0.26
Current release date 2026-03-29T00:00:00 Build Date
Current version 1 Status final
CVSS v3.1 Base Score 9.8 Severity
Original language Language en
Also referred to

Vulnerability Description

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Vulnerabilities

CVE-2026-4176

Vulnerability Description

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.

Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

Product status

Known affected
Product Score
perl greater than 5.9.4 and less than 5.40.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
perl greater than or equal 5.41.0 and less than 5.42.3
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
perl greater than or equal 5.43.0 and less than 5.43.9
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
Fixed

CVE-2026-3381

Vulnerability Description

Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.

Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.

Weakness CWE-1284 : Improper Validation of Specified Quantity in Input

Product status

Known affected
Product Score
perl greater than 5.9.4 and less than 5.40.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
perl greater than or equal 5.41.0 and less than 5.42.3
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
perl greater than or equal 5.43.0 and less than 5.43.9
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8 Critical
Fixed

CVE-2026-27171

Vulnerability Description

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Weakness CWE-1284 : Improper Validation of Specified Quantity in Input

Product status

Known affected
Product Score
perl greater than 5.9.4 and less than 5.40.4
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.9 Low
perl greater than or equal 5.41.0 and less than 5.42.3
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.9 Low
perl greater than or equal 5.43.0 and less than 5.43.9
CVSS Version CVSS Vector CVSS Base Score CVSS Base Severity
3.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.9 Low
Fixed

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

Revision history

Version Date of the revision Summary of the revision
1 Sun Mar 29 00:00:00 2026 First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/