RHSA-2026:6206
Vulnerability from csaf_redhat - Published: 2026-03-30 18:30 - Updated: 2026-04-19 19:40Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Moderate
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
perl:
* perl-5.42.2-524.hum1 (aarch64, x86_64)
* perl-Attribute-Handlers-1.03-524.hum1 (noarch)
* perl-AutoLoader-5.74-524.hum1 (noarch)
* perl-AutoSplit-5.74-524.hum1 (noarch)
* perl-B-1.89-524.hum1 (aarch64, x86_64)
* perl-Benchmark-1.27-524.hum1 (noarch)
* perl-Class-Struct-0.68-524.hum1 (noarch)
* perl-Config-Extensions-0.03-524.hum1 (noarch)
* perl-DBM_Filter-0.07-524.hum1 (noarch)
* perl-Devel-Peek-1.36-524.hum1 (aarch64, x86_64)
* perl-Devel-SelfStubber-1.06-524.hum1 (noarch)
* perl-DirHandle-1.05-524.hum1 (noarch)
* perl-Dumpvalue-2.27-524.hum1 (noarch)
* perl-DynaLoader-1.57-524.hum1 (aarch64, x86_64)
* perl-English-1.11-524.hum1 (noarch)
* perl-Errno-1.38-524.hum1 (aarch64, x86_64)
* perl-ExtUtils-Constant-0.25-524.hum1 (noarch)
* perl-ExtUtils-Embed-1.35-524.hum1 (noarch)
* perl-ExtUtils-Miniperl-1.14-524.hum1 (noarch)
* perl-Fcntl-1.20-524.hum1 (aarch64, x86_64)
* perl-File-Basename-2.86-524.hum1 (noarch)
* perl-File-Compare-1.100.800-524.hum1 (noarch)
* perl-File-Copy-2.41-524.hum1 (noarch)
* perl-File-DosGlob-1.12-524.hum1 (aarch64, x86_64)
* perl-File-Find-1.44-524.hum1 (noarch)
* perl-File-stat-1.14-524.hum1 (noarch)
* perl-FileCache-1.10-524.hum1 (noarch)
* perl-FileHandle-2.05-524.hum1 (noarch)
* perl-FindBin-1.54-524.hum1 (noarch)
* perl-GDBM_File-1.24-524.hum1 (aarch64, x86_64)
* perl-Getopt-Std-1.14-524.hum1 (noarch)
* perl-Hash-Util-0.32-524.hum1 (aarch64, x86_64)
* perl-Hash-Util-FieldHash-1.27-524.hum1 (aarch64, x86_64)
* perl-I18N-Collate-1.02-524.hum1 (noarch)
* perl-I18N-LangTags-0.45-524.hum1 (noarch)
* perl-I18N-Langinfo-0.24-524.hum1 (aarch64, x86_64)
* perl-IO-1.55-524.hum1 (aarch64, x86_64)
* perl-IPC-Open3-1.24-524.hum1 (noarch)
* perl-Locale-Maketext-Simple-0.21-524.hum1 (noarch)
* perl-Math-Complex-1.63-524.hum1 (noarch)
* perl-Memoize-1.17-524.hum1 (noarch)
* perl-Module-Loaded-0.08-524.hum1 (noarch)
* perl-NDBM_File-1.18-524.hum1 (aarch64, x86_64)
* perl-NEXT-0.69-524.hum1 (noarch)
* perl-Net-1.04-524.hum1 (noarch)
* perl-ODBM_File-1.20-524.hum1 (aarch64, x86_64)
* perl-Opcode-1.69-524.hum1 (aarch64, x86_64)
* perl-POSIX-2.23-524.hum1 (aarch64, x86_64)
* perl-Pod-Functions-1.14-524.hum1 (noarch)
* perl-Pod-Html-1.35-524.hum1 (noarch)
* perl-Safe-2.47-524.hum1 (noarch)
* perl-Search-Dict-1.08-524.hum1 (noarch)
* perl-SelectSaver-1.02-524.hum1 (noarch)
* perl-SelfLoader-1.28-524.hum1 (noarch)
* perl-Symbol-1.09-524.hum1 (noarch)
* perl-Sys-Hostname-1.25-524.hum1 (aarch64, x86_64)
* perl-Term-Complete-1.403-524.hum1 (noarch)
* perl-Term-ReadLine-1.17-524.hum1 (noarch)
* perl-Test-1.31-524.hum1 (noarch)
* perl-Text-Abbrev-1.02-524.hum1 (noarch)
* perl-Thread-3.06-524.hum1 (noarch)
* perl-Thread-Semaphore-2.13-524.hum1 (noarch)
* perl-Tie-4.6-524.hum1 (noarch)
* perl-Tie-File-1.10-524.hum1 (noarch)
* perl-Tie-Memoize-1.1-524.hum1 (noarch)
* perl-Time-1.04-524.hum1 (noarch)
* perl-Time-Piece-1.3600-524.hum1 (aarch64, x86_64)
* perl-Unicode-UCD-0.81-524.hum1 (noarch)
* perl-User-pwent-1.05-524.hum1 (noarch)
* perl-autouse-1.11-524.hum1 (noarch)
* perl-base-2.27-524.hum1 (noarch)
* perl-blib-1.07-524.hum1 (noarch)
* perl-debugger-1.60-524.hum1 (noarch)
* perl-deprecate-0.04-524.hum1 (noarch)
* perl-devel-5.42.2-524.hum1 (aarch64, x86_64)
* perl-diagnostics-1.40-524.hum1 (noarch)
* perl-doc-5.42.2-524.hum1 (noarch)
* perl-encoding-warnings-0.14-524.hum1 (noarch)
* perl-fields-2.27-524.hum1 (noarch)
* perl-filetest-1.03-524.hum1 (noarch)
* perl-if-0.61.000-524.hum1 (noarch)
* perl-interpreter-5.42.2-524.hum1 (aarch64, x86_64)
* perl-less-0.03-524.hum1 (noarch)
* perl-lib-0.65-524.hum1 (aarch64, x86_64)
* perl-libnetcfg-5.42.2-524.hum1 (noarch)
* perl-libs-5.42.2-524.hum1 (aarch64, x86_64)
* perl-locale-1.13-524.hum1 (noarch)
* perl-macros-5.42.2-524.hum1 (noarch)
* perl-meta-notation-5.42.2-524.hum1 (noarch)
* perl-mro-1.29-524.hum1 (aarch64, x86_64)
* perl-open-1.13-524.hum1 (noarch)
* perl-overload-1.40-524.hum1 (noarch)
* perl-overloading-0.02-524.hum1 (noarch)
* perl-ph-5.42.2-524.hum1 (aarch64, x86_64)
* perl-sigtrap-1.10-524.hum1 (noarch)
* perl-sort-2.06-524.hum1 (noarch)
* perl-subs-1.04-524.hum1 (noarch)
* perl-tests-5.42.2-524.hum1 (aarch64, x86_64)
* perl-utils-5.42.2-524.hum1 (noarch)
* perl-vars-1.05-524.hum1 (noarch)
* perl-vmsish-1.04-524.hum1 (noarch)
* perl-5.42.2-524.hum1.src (source)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
5.1 ()
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by "a\x80."
5.4 ()
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
5.1 ()
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
A heap write buffer overflow was found in perl's S_regatom() function, which is used in the compilation of regular expressions, resulting in the crash of the perl interpreter. An attacker, able to provide a specially crafted regular expression, could cause a denial of service.
5.9 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
A heap buffer overread was found in perl's grok_bslash_N() function, which is used in the compilation of Unicode nodes in regular expressions, possibly leading to crash or dump of memory segments via the error output. An attacker, able to provide a specially crafted regular expression, could look for sensible information in the error message, or crash perl.
6.5 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
It was found that the pack() function in the 32-bit version of the perl interpreter was vulnerable to heap buffer overflow via the packing template. An attacker, able to provide a specially crafted template, could use this flaw to crash the interpreter.
4.0 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.
8.2 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
Workaround
To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.
A stack-based buffer overflow vulnerability was found in the S_find_uninit_var() function in sv.c in Perl. This issue may allow an authenticated local attacker to send a specially crafted request to the application, leading to an infinite recursion, exhausting the process' stack space, resulting in a denial of service.
5.5 (Medium)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:6206
References
Acknowledgments
Stephane Chazelas
Perl
Sawyer X
Perl 5 Porters
GwanYeong Kim
Vingroup
VinCSS
Tarantula Team
ManhND
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\nperl:\n * perl-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-Attribute-Handlers-1.03-524.hum1 (noarch)\n * perl-AutoLoader-5.74-524.hum1 (noarch)\n * perl-AutoSplit-5.74-524.hum1 (noarch)\n * perl-B-1.89-524.hum1 (aarch64, x86_64)\n * perl-Benchmark-1.27-524.hum1 (noarch)\n * perl-Class-Struct-0.68-524.hum1 (noarch)\n * perl-Config-Extensions-0.03-524.hum1 (noarch)\n * perl-DBM_Filter-0.07-524.hum1 (noarch)\n * perl-Devel-Peek-1.36-524.hum1 (aarch64, x86_64)\n * perl-Devel-SelfStubber-1.06-524.hum1 (noarch)\n * perl-DirHandle-1.05-524.hum1 (noarch)\n * perl-Dumpvalue-2.27-524.hum1 (noarch)\n * perl-DynaLoader-1.57-524.hum1 (aarch64, x86_64)\n * perl-English-1.11-524.hum1 (noarch)\n * perl-Errno-1.38-524.hum1 (aarch64, x86_64)\n * perl-ExtUtils-Constant-0.25-524.hum1 (noarch)\n * perl-ExtUtils-Embed-1.35-524.hum1 (noarch)\n * perl-ExtUtils-Miniperl-1.14-524.hum1 (noarch)\n * perl-Fcntl-1.20-524.hum1 (aarch64, x86_64)\n * perl-File-Basename-2.86-524.hum1 (noarch)\n * perl-File-Compare-1.100.800-524.hum1 (noarch)\n * perl-File-Copy-2.41-524.hum1 (noarch)\n * perl-File-DosGlob-1.12-524.hum1 (aarch64, x86_64)\n * perl-File-Find-1.44-524.hum1 (noarch)\n * perl-File-stat-1.14-524.hum1 (noarch)\n * perl-FileCache-1.10-524.hum1 (noarch)\n * perl-FileHandle-2.05-524.hum1 (noarch)\n * perl-FindBin-1.54-524.hum1 (noarch)\n * perl-GDBM_File-1.24-524.hum1 (aarch64, x86_64)\n * perl-Getopt-Std-1.14-524.hum1 (noarch)\n * perl-Hash-Util-0.32-524.hum1 (aarch64, x86_64)\n * perl-Hash-Util-FieldHash-1.27-524.hum1 (aarch64, x86_64)\n * perl-I18N-Collate-1.02-524.hum1 (noarch)\n * perl-I18N-LangTags-0.45-524.hum1 (noarch)\n * perl-I18N-Langinfo-0.24-524.hum1 (aarch64, x86_64)\n * perl-IO-1.55-524.hum1 (aarch64, x86_64)\n * perl-IPC-Open3-1.24-524.hum1 (noarch)\n * perl-Locale-Maketext-Simple-0.21-524.hum1 (noarch)\n * perl-Math-Complex-1.63-524.hum1 (noarch)\n * perl-Memoize-1.17-524.hum1 (noarch)\n * perl-Module-Loaded-0.08-524.hum1 (noarch)\n * perl-NDBM_File-1.18-524.hum1 (aarch64, x86_64)\n * perl-NEXT-0.69-524.hum1 (noarch)\n * perl-Net-1.04-524.hum1 (noarch)\n * perl-ODBM_File-1.20-524.hum1 (aarch64, x86_64)\n * perl-Opcode-1.69-524.hum1 (aarch64, x86_64)\n * perl-POSIX-2.23-524.hum1 (aarch64, x86_64)\n * perl-Pod-Functions-1.14-524.hum1 (noarch)\n * perl-Pod-Html-1.35-524.hum1 (noarch)\n * perl-Safe-2.47-524.hum1 (noarch)\n * perl-Search-Dict-1.08-524.hum1 (noarch)\n * perl-SelectSaver-1.02-524.hum1 (noarch)\n * perl-SelfLoader-1.28-524.hum1 (noarch)\n * perl-Symbol-1.09-524.hum1 (noarch)\n * perl-Sys-Hostname-1.25-524.hum1 (aarch64, x86_64)\n * perl-Term-Complete-1.403-524.hum1 (noarch)\n * perl-Term-ReadLine-1.17-524.hum1 (noarch)\n * perl-Test-1.31-524.hum1 (noarch)\n * perl-Text-Abbrev-1.02-524.hum1 (noarch)\n * perl-Thread-3.06-524.hum1 (noarch)\n * perl-Thread-Semaphore-2.13-524.hum1 (noarch)\n * perl-Tie-4.6-524.hum1 (noarch)\n * perl-Tie-File-1.10-524.hum1 (noarch)\n * perl-Tie-Memoize-1.1-524.hum1 (noarch)\n * perl-Time-1.04-524.hum1 (noarch)\n * perl-Time-Piece-1.3600-524.hum1 (aarch64, x86_64)\n * perl-Unicode-UCD-0.81-524.hum1 (noarch)\n * perl-User-pwent-1.05-524.hum1 (noarch)\n * perl-autouse-1.11-524.hum1 (noarch)\n * perl-base-2.27-524.hum1 (noarch)\n * perl-blib-1.07-524.hum1 (noarch)\n * perl-debugger-1.60-524.hum1 (noarch)\n * perl-deprecate-0.04-524.hum1 (noarch)\n * perl-devel-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-diagnostics-1.40-524.hum1 (noarch)\n * perl-doc-5.42.2-524.hum1 (noarch)\n * perl-encoding-warnings-0.14-524.hum1 (noarch)\n * perl-fields-2.27-524.hum1 (noarch)\n * perl-filetest-1.03-524.hum1 (noarch)\n * perl-if-0.61.000-524.hum1 (noarch)\n * perl-interpreter-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-less-0.03-524.hum1 (noarch)\n * perl-lib-0.65-524.hum1 (aarch64, x86_64)\n * perl-libnetcfg-5.42.2-524.hum1 (noarch)\n * perl-libs-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-locale-1.13-524.hum1 (noarch)\n * perl-macros-5.42.2-524.hum1 (noarch)\n * perl-meta-notation-5.42.2-524.hum1 (noarch)\n * perl-mro-1.29-524.hum1 (aarch64, x86_64)\n * perl-open-1.13-524.hum1 (noarch)\n * perl-overload-1.40-524.hum1 (noarch)\n * perl-overloading-0.02-524.hum1 (noarch)\n * perl-ph-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-sigtrap-1.10-524.hum1 (noarch)\n * perl-sort-2.06-524.hum1 (noarch)\n * perl-subs-1.04-524.hum1 (noarch)\n * perl-tests-5.42.2-524.hum1 (aarch64, x86_64)\n * perl-utils-5.42.2-524.hum1 (noarch)\n * perl-vars-1.05-524.hum1 (noarch)\n * perl-vmsish-1.04-524.hum1 (noarch)\n * perl-5.42.2-524.hum1.src (source)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:6206",
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2022-48522",
"url": "https://access.redhat.com/security/cve/CVE-2022-48522"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2020-10543",
"url": "https://access.redhat.com/security/cve/CVE-2020-10543"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2018-6913",
"url": "https://access.redhat.com/security/cve/CVE-2018-6913"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2017-12883",
"url": "https://access.redhat.com/security/cve/CVE-2017-12883"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2017-12837",
"url": "https://access.redhat.com/security/cve/CVE-2017-12837"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2016-2381",
"url": "https://access.redhat.com/security/cve/CVE-2016-2381"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2015-8853",
"url": "https://access.redhat.com/security/cve/CVE-2015-8853"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2012-6329",
"url": "https://access.redhat.com/security/cve/CVE-2012-6329"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_6206.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-19T19:40:52+00:00",
"generator": {
"date": "2026-04-19T19:40:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:6206",
"initial_release_date": "2026-03-30T18:30:07+00:00",
"revision_history": [
{
"date": "2026-03-30T18:30:07+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T19:53:16+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-19T19:40:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@aarch64",
"product": {
"name": "perl-main@aarch64",
"product_id": "perl-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@src",
"product": {
"name": "perl-main@src",
"product_id": "perl-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.hum1?arch=source\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@x86_64",
"product": {
"name": "perl-main@x86_64",
"product_id": "perl-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl@5.42.2-524.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "perl-main@noarch",
"product": {
"name": "perl-main@noarch",
"product_id": "perl-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/perl-Attribute-Handlers@1.03-524.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@aarch64"
},
"product_reference": "perl-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@noarch"
},
"product_reference": "perl-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@src"
},
"product_reference": "perl-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:perl-main@x86_64"
},
"product_reference": "perl-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-6329",
"discovery_date": "2012-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "884354"
}
],
"notes": [
{
"category": "description",
"text": "The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: possible arbitrary code execution via Locale::Maketext",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-6329"
},
{
"category": "external",
"summary": "RHBZ#884354",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=884354"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-6329",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-6329"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-6329",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-6329"
}
],
"release_date": "2012-12-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: possible arbitrary code execution via Locale::Maketext"
},
{
"cve": "CVE-2015-8853",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2016-04-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1329106"
}
],
"notes": [
{
"category": "description",
"text": "The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-dependent attackers to cause a denial of service (infinite loop) via crafted utf-8 data, as demonstrated by \"a\\x80.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: regexp matching hangs indefinitely on illegal UTF-8 input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-8853"
},
{
"category": "external",
"summary": "RHBZ#1329106",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1329106"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-8853",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-8853"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-8853",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8853"
},
{
"category": "external",
"summary": "https://rt.perl.org/Public/Bug/Display.html?id=123562",
"url": "https://rt.perl.org/Public/Bug/Display.html?id=123562"
}
],
"release_date": "2015-01-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 5.4,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: regexp matching hangs indefinitely on illegal UTF-8 input"
},
{
"acknowledgments": [
{
"names": [
"Stephane Chazelas"
]
}
],
"cve": "CVE-2016-2381",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2016-02-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1309214"
}
],
"notes": [
{
"category": "description",
"text": "Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: ambiguous environment variables handling",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2381"
},
{
"category": "external",
"summary": "RHBZ#1309214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1309214"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2381",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2381"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2381",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2381"
}
],
"release_date": "2016-03-01T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: ambiguous environment variables handling"
},
{
"acknowledgments": [
{
"names": [
"Sawyer X"
],
"organization": "Perl"
}
],
"cve": "CVE-2017-12837",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2017-09-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1492091"
}
],
"notes": [
{
"category": "description",
"text": "A heap write buffer overflow was found in perl\u0027s S_regatom() function, which is used in the compilation of regular expressions, resulting in the crash of the perl interpreter. An attacker, able to provide a specially crafted regular expression, could cause a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Heap buffer overflow in regular expression compiler",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue does not affect perl versions older than 5.18. Perl as shipped in Red Hat Enterprise Linux 7 and older are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-12837"
},
{
"category": "external",
"summary": "RHBZ#1492091",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492091"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-12837",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12837"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-12837",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12837"
}
],
"release_date": "2017-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "perl: Heap buffer overflow in regular expression compiler"
},
{
"cve": "CVE-2017-12883",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2017-09-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1492093"
}
],
"notes": [
{
"category": "description",
"text": "A heap buffer overread was found in perl\u0027s grok_bslash_N() function, which is used in the compilation of Unicode nodes in regular expressions, possibly leading to crash or dump of memory segments via the error output. An attacker, able to provide a specially crafted regular expression, could look for sensible information in the error message, or crash perl.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: Buffer over-read in regular expression parser",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Perl as shipped in Red Hat Enterprise Linux 7 and older have not been found to be vulnerable. This vulnerability was not present in perl versions older than 5.20.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-12883"
},
{
"category": "external",
"summary": "RHBZ#1492093",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1492093"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-12883",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-12883"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-12883",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-12883"
}
],
"release_date": "2017-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: Buffer over-read in regular expression parser"
},
{
"acknowledgments": [
{
"names": [
"Perl 5 Porters"
]
},
{
"names": [
"GwanYeong Kim"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2018-6913",
"cwe": {
"id": "CWE-122",
"name": "Heap-based Buffer Overflow"
},
"discovery_date": "2018-02-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1547772"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the pack() function in the 32-bit version of the perl interpreter was vulnerable to heap buffer overflow via the packing template. An attacker, able to provide a specially crafted template, could use this flaw to crash the interpreter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: heap buffer overflow in pp_pack.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The 64-bit versions of perl have not been found to be affected. As a result, this issue did not affect the versions of perl as shipped with Red Hat Enterprise Linux 7, and the versions of rh-perl526-perl, rh-perl524-perl and rh-perl520-perl as shipped with Red Hat Software Collections.\n\nThis issue affects the 32bit versions of perl as shipped with Red Hat Enterprise Linux 6. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This has been rated as having a security impact of Low, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.\n\nThis issue may affect the versions of perl as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Extended Life Cycle phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-6913"
},
{
"category": "external",
"summary": "RHBZ#1547772",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547772"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-6913",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-6913"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-6913",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6913"
},
{
"category": "external",
"summary": "https://rt.perl.org/Public/Bug/Display.html?id=131844",
"url": "https://rt.perl.org/Public/Bug/Display.html?id=131844"
}
],
"release_date": "2018-04-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 4.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "perl: heap buffer overflow in pp_pack.c"
},
{
"acknowledgments": [
{
"names": [
"VinCSS"
],
"organization": "Vingroup"
},
{
"names": [
"ManhND"
],
"organization": "Tarantula Team"
}
],
"cve": "CVE-2020-10543",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2020-05-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1837975"
}
],
"notes": [
{
"category": "description",
"text": "Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: heap-based buffer overflow in regular expression compiler leads to DoS",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A heap buffer overflow vulnerability exists in the regular expression compiler of Perl packages shipped with Red Hat Enterprise Linux 6, 7, and 8. The flaw occurs in the S_study_chunk() function of regcomp.c due to a signed size_t integer overflow in storage space calculations for nested regular expression quantifiers. When untrusted regular expressions are compiled, this can lead to out-of-bounds memory writes with attacker-controlled data. The vulnerability does not depend on the data being matched, but rather on the regular expression itself. On Red Hat systems, this could result in denial of service or potential code execution when processing malicious regular expressions. Red Hat customers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler, as regular expressions in Perl can contain arbitrary code.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-10543"
},
{
"category": "external",
"summary": "RHBZ#1837975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1837975"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-10543",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10543"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10543"
}
],
"release_date": "2020-06-02T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
},
{
"category": "workaround",
"details": "To mitigate this flaw, developers should not allow untrusted regular expressions to be compiled by the Perl regular expression compiler.",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: heap-based buffer overflow in regular expression compiler leads to DoS"
},
{
"cve": "CVE-2022-48522",
"cwe": {
"id": "CWE-835",
"name": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)"
},
"discovery_date": "2023-08-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2234416"
}
],
"notes": [
{
"category": "description",
"text": "A stack-based buffer overflow vulnerability was found in the S_find_uninit_var() function in sv.c in Perl. This issue may allow an authenticated local attacker to send a specially crafted request to the application, leading to an infinite recursion, exhausting the process\u0027 stack space, resulting in a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "perl: stack-based crash in S_find_uninit_var()",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The vulnerable code was introduced in Perl v5.33.1. Red Hat Enterprise Linux ships Perl v5.32.1 and lower. Our code-base does not contain the vulnerable code, therefore, RHEL is not affected.\n\nWhen attempting to access a hash entry with an undefined variable as the key, an infinite recursion occurs, depleting the stack space and leading to a stack overflow. This behavior is specific to cases where \u0027-w\u0027 (\"use warnings;\") are enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-48522"
},
{
"category": "external",
"summary": "RHBZ#2234416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234416"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-48522",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48522"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48522"
},
{
"category": "external",
"summary": "https://github.com/Perl/perl5/commit/23cca2d1f4544cb47f1124d98c308ce1f31f09a6",
"url": "https://github.com/Perl/perl5/commit/23cca2d1f4544cb47f1124d98c308ce1f31f09a6"
},
{
"category": "external",
"summary": "https://github.com/Perl/perl5/issues/19147",
"url": "https://github.com/Perl/perl5/issues/19147"
}
],
"release_date": "2023-08-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-03-30T18:30:07+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:6206"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:perl-main@aarch64",
"Red Hat Hardened Images:perl-main@noarch",
"Red Hat Hardened Images:perl-main@src",
"Red Hat Hardened Images:perl-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "perl: stack-based crash in S_find_uninit_var()"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…