DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-4176: CVE-2026-4176: Remote Code Execution via Heap-Based Buffer Overflow in Perl Compress::Raw::Zlib

#security #cve #cybersecurity

CVE-2026-4176: Remote Code Execution via Heap-Based Buffer Overflow in Perl Compress::Raw::Zlib

Vulnerability ID: CVE-2026-4176
CVSS Score: 9.8
Published: 2026-03-29

CVE-2026-4176 is a critical dependency chain vulnerability in the Perl programming language. It is caused by the inclusion of an outdated version of the Compress::Raw::Zlib core module, which bundles a vulnerable version of the zlib compression library. This exposure allows unauthenticated remote attackers to achieve arbitrary code execution or denial of service via malformed compressed data streams.

TL;DR

Perl's core Compress::Raw::Zlib module uses an outdated zlib library, enabling heap-based buffer overflows and race conditions that lead to remote code execution and denial of service.

Technical Details

  • CWE ID: CWE-1395
  • Attack Vector: Network
  • CVSS Score: 9.8
  • EPSS Score: 0.00019
  • Primary Impact: Remote Code Execution / Denial of Service
  • Exploit Status: None publicly known
  • CISA KEV: Not listed

Affected Systems

  • Perl versions 5.9.4 to < 5.40.4-RC1
  • Perl versions 5.41.0 to < 5.42.2-RC1
  • Perl versions 5.43.0 to < 5.43.9
  • Compress::Raw::Zlib versions up to 2.219
  • Vendored zlib instances in Perl prior to version 1.3.2
  • Perl: 5.9.4 to < 5.40.4-RC1 (Fixed in: 5.40.4)
  • Perl: 5.41.0 to < 5.42.2-RC1 (Fixed in: 5.42.2)
  • Perl: 5.43.0 to < 5.43.9 (Fixed in: 5.43.9)
  • Compress::Raw::Zlib: <= 2.219 (Fixed in: 2.222)
  • zlib: < 1.3.2 (Fixed in: 1.3.2)

Code Analysis

Commit: c75ae9c

Perl core implementation patching vendored zlib vulnerabilities, mitigating integer overflow in compressBound and correcting dynamic CRC table initialization threading flaws.

Changes include redefining uLong to z_size_t, adding bounds checks returning -1 on overflow, and implementing z_once constraints.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the Perl distribution to a patched version (5.40.4, 5.42.2, or 5.43.9).
  • Update the Compress::Raw::Zlib module independently via CPAN to version 2.222 or later.
  • Update the system-level zlib library to version 1.3.2 for dynamically linked Perl environments.
  • Implement network-level rate limiting to mitigate concurrent requests exploiting the CPU consumption and race condition flaws.

Remediation Steps:

  1. Execute perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION' to determine if the local installation is vulnerable.
  2. If the version is lower than 2.222, initiate an immediate upgrade of the core Perl environment.
  3. If a full environment upgrade is impossible, install the patched module manually using a package manager or CPAN (cpanm Compress::Raw::Zlib).
  4. Verify that the patched module takes precedence in the @INC path over the bundled core module.
  5. Monitor application crash logs for segfaults associated with compression routines, which may indicate exploitation attempts.

References

Read the full report for CVE-2026-4176 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)