CVE-2026-8829

HTML::Entities versions before 3.84 for Perl read freed heap memory in decode entities.

The XS routine backing HTML::Entities:: decode entities cached a pointer (repl) into the entity-value SV returned by hv fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl len bytes from the freed allocation.

The read may disclose adjacent heap contents into the destination SV.