CVE-2026-8829

Published: Giu 04, 2026 Last Modified: Giu 04, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.

The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.

The read may disclose adjacent heap contents into the destination SV.

416

Use After Free

Stable
Abstraction: Variant Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Confidentiality
Potential Impacts:
Modify Memory Dos: Crash, Exit, Or Restart Read Memory Execute Unauthorized Code Or Commands
Applicable Platforms
Languages: Memory-Unsafe, C, C++
Likelihood of Exploit: High
View CWE Details
https://github.com/libwww-perl/HTML-Parser/commit/6922552b0…
https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248…
https://github.com/libwww-perl/HTML-Parser/pull/56
https://github.com/libwww-perl/HTML-Parser/pull/56