CVE-2024-56406

CVE-2024-56406: Perl is vulnerable to a heap buffer overflow when transliterating non-ASCII bytes

Vendor Perl
Product perl
Weakness CWE-122
Published April 13, 2025
Last update October 16, 2025

CVSS base score

What the vulnerability does

01Description

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

Key dates

02Disclosure timeline

April 13, 2025 CVE published
October 16, 2025 Record updated