CVE-2026-8829

CVE-2026-8829: HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities

Vendor Oalders
Product HTML::Entities
Weakness CWE-416
Published June 4, 2026
Last update June 4, 2026

CVSS base score

What the vulnerability does

01Description

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated