CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes

8.6 CVSS

Description

A heap buffer overflow vulnerability was discovered in Perl.

When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.

$ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'
Segmentation fault (core dumped)

It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Vendor: perl

Product: perl

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.46% (scored less or equal to compared to others)

EPSS Date: 2025-05-12 (when was this score calculated)

2025-04-13 14:40:18 UTC
CVE

Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
2025-04-14 06:00:51 UTC
Tenable Plugins

Debian dsa-5902 : libperl-dev - security update
2025-04-20 16:00:46 UTC
Tenable Plugins

Azure Linux 3.0 Security Update: perl (CVE-2024-56406)
2025-04-20 16:00:47 UTC
Tenable Plugins

CBL Mariner 2.0 Security Update: perl (CVE-2024-56406)