CVE-2026-8829 | THREATINT

Description

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.

PUBLISHED Reserved 2026-05-18 | Published 2026-06-04 | Updated 2026-06-04 | Assigner CPANSec

Problem types

CWE-416 Use After Free

Product status

Default status

unaffected

Any version before 3.84

affected

Timeline

2026-05-12:	Issue reported.
2026-05-19:	HTML-Parser 3.84 released.

References

www.openwall.com/lists/oss-security/2026/06/04/2

github.com/libwww-perl/HTML-Parser/pull/56 patch

github.com/...6922552b0778c90a9587a3894e248be4d3a25e1c.patch patch

cve.org (CVE-2026-8829)

nvd.nist.gov (CVE-2026-8829)

Download JSON