{"id":"CVE-2026-8829","summary":"HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities","details":"HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.\n\nThe XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.\n\nThe read may disclose adjacent heap contents into the destination SV.","modified":"2026-07-08T08:12:41.206637836Z","published":"2026-06-04T02:03:46.702Z","related":["SUSE-SU-2026:22189-1","openSUSE-SU-2026:10957-1","openSUSE-SU-2026:21126-1"],"database_specific":{"cna_assigner":"CPANSec","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8829.json","cwe_ids":["CWE-416"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/04/2"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2026/06/msg00044.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8829.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8829"},{"type":"FIX","url":"https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch"},{"type":"FIX","url":"https://github.com/libwww-perl/HTML-Parser/pull/56"},{"type":"PACKAGE","url":"https://github.com/libwww-perl/HTML-Parser"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libwww-perl/html-parser","events":[{"introduced":"0"},{"fixed":"6b21b32af5e34192d9cc02334136ff5e9bffd6a0"},{"fixed":"6922552b0778c90a9587a3894e248be4d3a25e1c"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"3.84"}],"cpe":"cpe:2.3:a:oalders:html\\:\\:entities:*:*:*:*:*:perl:*:*","source":["CPE_RANGE","REFERENCES"]}}],"versions":["3.83","3.82","3.81","3.80","3.79","3.78","3.77","3.76","3.75","3.74","3.73","3.72","3.71","3.70","3.69","3.68","3.67","3.66","3.65","3.64","3.63","3.62","3.61","3.60","3.59","3.58","3.57","R3_56","R3_55","R3_54","R3_53","R3_52","R3_51","R3_50","R3_49","R3_48","R3_47","R3_46","R3_45","R3_44","R3_43","R3_42","R3_40","R3_39_92","R3_39_91","R3_39_90","R3_38","R3_37","R3_36","R3_35","R3_34","R3_33","R3_32","R3_31","R3_30","R3_29","R3_28","R3_27","R3_26","R3_25","R3_24","R3_23","R3_22","R3_21","R3_20","R3_19_94","R3_19_93","R3_19_92","R3_19_91","R19_90","R3_19","R3_18","R3_17","R3_16","R3_15","R3_14","R3_13","R3_12","R3_11","R3_10","R3_09","R3_08","R3_07","R3_06","R3_05","R3_04","R3_03","R3_02","R3_01","R3_00","R2_99_96","R2_99_95","R2_99_94","R2_99_93","R2_99_92","R2_99_91","R2_99_90","R2_99_17","R2_99_16","R2_99_15","R2_99_14","R2_99_13","R2_99_12","R2_99_11","R2_99_10","R2_99_09","R2_99_08","R2_99_07","R2_99_06","R2_99_05","R2_99_04","R2_99_03","R2_25","R2_99_02","R2_99_01","R2_24","R2_23","R2_22","R2_21","R2_20","R2_19","R2_18","R2_17","R2_16","R2_14","LWP_5_22","LWP_5_18","LWP_5_17","LWP_5_05","LWP_5_00","B13","B12","B11","B6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8829.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}