{"id":"USN-8467-2","summary":"perl vulnerabilities","details":"USN-8467-1 fixed vulnerabilities in Perl. This update provides the\ncorresponding fix for Perl on Ubuntu 25.10.\n\nOriginal advisory details:\nIt was discovered that Perl's Archive::Tar module incorrectly handled\nsymlink and hardlink targets during extraction. An attacker could use this\nissue to read or overwrite arbitrary files outside the extraction\ndirectory. (CVE-2026-42496)\nIt was discovered that Perl had a heap buffer overflow when compiling\nregular expressions with a repeated fixed string on 32-bit builds. An\nattacker could use this issue to cause a denial of service or possibly\nexecute arbitrary code. (CVE-2026-8376)","modified":"2026-07-02T13:49:32.190074256Z","published":"2026-07-02T06:15:19Z","upstream":["CVE-2026-42496","CVE-2026-8376","UBUNTU-CVE-2026-42496","UBUNTU-CVE-2026-8376"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8467-2"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-8376"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42496"}],"affected":[{"package":{"name":"perl","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/perl?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.40.1-6ubuntu0.1"}]}],"versions":["5.40.1-2","5.40.1-3","5.40.1-5","5.40.1-6","5.40.1-6build1"],"ecosystem_specific":{"binaries":[{"binary_name":"libperl5.40","binary_version":"5.40.1-6ubuntu0.1"},{"binary_name":"perl","binary_version":"5.40.1-6ubuntu0.1"},{"binary_name":"perl-base","binary_version":"5.40.1-6ubuntu0.1"},{"binary_name":"perl-debug","binary_version":"5.40.1-6ubuntu0.1"},{"binary_name":"perl-modules-5.40","binary_version":"5.40.1-6ubuntu0.1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8467-2.json","cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-8376"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2026-42496"}]}}}],"schema_version":"1.7.5"}