CVE-2024-56406

Summary

A heap buffer overflow vulnerability was discovered in Perl.

Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10.

When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.

   $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped)

It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

Affected Software

VendorProductVersion RangeStatus
perlperl5.41.0 <= 5.41.10affected
perlperl5.39.0 < 5.40.2-RC1affected
perlperl5.33.1 < 5.38.4-RC1affected

Weaknesses

  • CWE-122: CWE-122 Heap-based Buffer Overflow
  • CWE-787: CWE-787 Out-of-bounds Write

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References