Home

Description

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

PUBLISHED Reserved 2026-03-14 | Published 2026-03-29 | Updated 2026-03-30 | Assigner CPANSec

Problem types

CWE-1395 Dependency on Vulnerable Third-Party Component

Product status

Default status
unaffected

5.9.4 (custom) before 5.40.4-RC1
affected

5.41.0 (custom) before 5.42.2-RC1
affected

5.43.0 (custom) before 5.43.9
affected

Timeline

2026-02-27:Compress::Raw::Zlib 2.221 committed to Perl blead.
2026-03-07:CVE-2026-3381 published for Compress::Raw::Zlib.
2026-03-14:CVE-2026-4176 reserved.
2026-03-29:Perl 5.40.4 and 5.42.2 released.

Credits

Bernhard Schmalhofer reporter

References

www.openwall.com/lists/oss-security/2026/03/30/2

www.cve.org/CVERecord?id=CVE-2026-3381 vendor-advisory related vdb-entry

lists.security.metacpan.org/cve-announce/msg/37638919/ vendor-advisory

github.com/...ommit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94 patch

metacpan.org/.../PMQS/Compress-Raw-Zlib-2.221/source/Changes release-notes

metacpan.org/release/SHAY/perl-5.40.4/changes release-notes

metacpan.org/release/SHAY/perl-5.42.2/changes release-notes

cve.org (CVE-2026-4176)

nvd.nist.gov (CVE-2026-4176)

Download JSON