CVE-2024-56406

Name of the Vulnerable Software and Affected Versions Perl versions 5.33.1 through 5.41.10 Perl versions 5.34, 5.36, 5.38, and 5.40

Description A heap buffer overflow vulnerability was discovered in Perl. When there are non-ASCII bytes in the left-hand-side of the tr operator, S do trans invmap can overflow the destination pointer d. This vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses. It is estimated that over 1.4 million services may be affected.

Recommendations For Perl versions 5.33.1 through 5.41.10, update to a version that includes the fix, such as 5.40.2 or 5.38.4. For Perl versions 5.34, 5.36, 5.38, and 5.40, update to a version that includes the fix, such as 5.40.2 or 5.38.4. As a temporary workaround, consider disabling the tr operator or restricting its use until a patch is available. Restrict access to the S do trans invmap function to minimize the risk of exploitation. Avoid using non-ASCII bytes in the left-hand-side of the tr operator until the issue is resolved.