{"id":"CVE-2026-8829","summary":"HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities","details":"HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities.\n\nThe XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation.\n\nThe read may disclose adjacent heap contents into the destination SV.","modified":"2026-06-24T09:14:03.055176252Z","published":"2026-06-04T02:03:46.702Z","related":["SUSE-SU-2026:22189-1","openSUSE-SU-2026:10957-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8829.json","cwe_ids":["CWE-416"],"cna_assigner":"CPANSec"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/06/04/2"},{"type":"WEB","url":"https://cpan.org/modules"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8829.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8829"},{"type":"FIX","url":"https://github.com/libwww-perl/HTML-Parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c.patch"},{"type":"FIX","url":"https://github.com/libwww-perl/HTML-Parser/pull/56"},{"type":"PACKAGE","url":"https://github.com/libwww-perl/HTML-Parser"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libwww-perl/html-parser","events":[{"introduced":"0"},{"fixed":"6b21b32af5e34192d9cc02334136ff5e9bffd6a0"},{"fixed":"6922552b0778c90a9587a3894e248be4d3a25e1c"}],"database_specific":{"cpe":"cpe:2.3:a:oalders:html\\:\\:entities:*:*:*:*:*:perl:*:*","source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"3.84"}]}}],"versions":["3.83","3.82","3.81","3.80","3.79","3.78","3.77","3.76","3.75","3.74","3.73","3.72","3.71","3.70","3.69","3.68","3.67","3.66","3.65","3.64","3.63","3.62","3.61","3.60","3.59","3.58","3.57","R3_56","R3_55","R3_54","R3_53","R3_52","R3_51","R3_50","R3_49","R3_48","R3_47","R3_46","R3_45","R3_44","R3_43","R3_42","R3_40","R3_39_92","R3_39_91","R3_39_90","R3_38","R3_37","R3_36","R3_35","R3_34","R3_33","R3_32","R3_31","R3_30","R3_29","R3_28","R3_27","R3_26","R3_25","R3_24","R3_23","R3_22","R3_21","R3_20","R3_19_94","R3_19_93","R3_19_92","R3_19_91","R19_90","R3_19","R3_18","R3_17","R3_16","R3_15","R3_14","R3_13","R3_12","R3_11","R3_10","R3_09","R3_08","R3_07","R3_06","R3_05","R3_04","R3_03","R3_02","R3_01","R3_00","R2_99_96","R2_99_95","R2_99_94","R2_99_93","R2_99_92","R2_99_91","R2_99_90","R2_99_17","R2_99_16","R2_99_15","R2_99_14","R2_99_13","R2_99_12","R2_99_11","R2_99_10","R2_99_09","R2_99_08","R2_99_07","R2_99_06","R2_99_05","R2_99_04","R2_99_03","R2_25","R2_99_02","R2_99_01","R2_24","R2_23","R2_22","R2_21","R2_20","R2_19","R2_18","R2_17","R2_16","R2_14","LWP_5_22","LWP_5_18","LWP_5_17","LWP_5_05","LWP_5_00","B13","B12","B11","B6"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-8829.json","vanir_signatures":[{"signature_version":"v1","deprecated":false,"source":"https://github.com/libwww-perl/html-parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c","target":{"file":"util.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["29524226695568867393611713302732256007","88925536424335811418513984117503737771","125351173588064010782487249454781502536","244693494973170438017600447690742251171","177566466278410444417561684390376957074","161068445147121806963874015074544648543","55192585854307345962842473963564967862","235073147029104328918831853661015462231","45855650820848338149040975573924227466","224125197776965977316250693747002817775","162567067660630509810466194269228684738","258479322125686328984193696014827764263","308011330346174385747097628131380601554","46442983270035478777643436301391618654","18921908710528266953421495109603178278","229891308261985322485472263359863391893","280375879308588453047160834160354569603","134429069728731958751856250472328785201","300278630825011606591107183136696983218","88967852916892989479353512631507549383","115856390516382032478180913911082783685","33000665795576920914913238638696949613","234150239203820662679117585177268903128","19832847907142007802878252255421180173","187583489482414199909937053426466094382"]},"id":"CVE-2026-8829-25837f81"},{"signature_version":"v1","signature_type":"Function","source":"https://github.com/libwww-perl/html-parser/commit/6922552b0778c90a9587a3894e248be4d3a25e1c","deprecated":false,"digest":{"length":3138,"function_hash":"89558245732209872575410423504328203275"},"target":{"function":"decode_entities","file":"util.c"},"id":"CVE-2026-8829-8366e2d3"}],"vanir_signatures_modified":"2026-06-19T03:19:16Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}