========================================================================
CVE-2026-8829 CPAN Security Group
========================================================================
CVE ID: CVE-2026-8829
Distribution: HTML-Parser
Versions: before 3.84
MetaCPAN: https://metacpan.org/dist/HTML-Parser
VCS Repo: https://github.com/libwww-perl/HTML-Parser
HTML::Entities versions before 3.84 for Perl read freed heap memory in
_decode_entities
Description
-----------
HTML::Entities versions before 3.84 for Perl read freed heap memory in
_decode_entities.
The XS routine backing HTML::Entities::_decode_entities cached a
pointer (repl) into the entity-value SV returned by hv_fetch on the
entity2char hash. When the input SV was identical to a value SV in that
hash, and that value contained its own key as an entity reference, a
later call to grow_gap() reallocated the SV's PV buffer and freed the
backing allocation that repl still pointed into. The subsequent copy
loop read repl_len bytes from the freed allocation.
The read may disclose adjacent heap contents into the destination SV.
Problem types
-------------
- CWE-416 Use After Free
Solutions
---------
Upgrade to HTML-Parser 3.84 or later.
References
----------
https://github.com/libwww-perl/HTML-Parser/pull/56
https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch
Timeline
--------
- 2026-05-12: Issue reported.
- 2026-05-19: HTML-Parser 3.84 released.
--
Paul Johnson - [email protected]
