Security Advisories (9)
CVE-2024-56406 (2025-04-13)

A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

CVE-2023-47038 (2023-10-30)

A crafted regular expression when compiled by perl 5.30.0 through 5.38.0 can cause a one attacker controlled byte buffer overflow in a heap allocated buffer

CVE-2025-40909 (2025-05-30)

Perl threads have a working directory race condition where file operations may target unintended paths. If a directory handle is open at thread creation, the process-wide current working directory is temporarily changed in order to clone that handle for the new thread, which is visible from any third (or more) thread already running. This may lead to unintended operations such as loading code or accessing files from unexpected locations, which a local attacker may be able to exploit. The bug was introduced in commit 11a11ecf4bea72b17d250cfb43c897be1341861e and released in Perl version 5.13.6

CVE-2026-13221 (2026-07-13)

Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches (matching strings it should not) and false negative matches (failing to match strings it should). When such a pattern gates an access or filtering decision, the result is wrong.

CVE-2026-4176 (2026-03-29)

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

CVE-2026-57432 (2026-07-13)

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

CVE-2023-47100

In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0.

CVE-2026-8376 (2026-05-25)

Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds. Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer. A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.

CVE-2023-47039 (2023-10-30)

Perl for Windows relies on the system path environment variable to find the shell (cmd.exe). When running an executable which uses Windows Perl interpreter, Perl attempts to find and execute cmd.exe within the operating system. However, due to path search order issues, Perl initially looks for cmd.exe in the current working directory. An attacker with limited privileges can exploit this behavior by placing cmd.exe in locations with weak permissions, such as C:\ProgramData. By doing so, when an administrator attempts to use this executable from these compromised locations, arbitrary code can be executed.

NAME

ExtUtils::CBuilder - Compile and link C code for Perl modules

SYNOPSIS

use ExtUtils::CBuilder;

my $b = ExtUtils::CBuilder->new(%options);
$obj_file = $b->compile(source => 'MyModule.c');
$lib_file = $b->link(objects => $obj_file);

DESCRIPTION

This module can build the C portions of Perl modules by invoking the appropriate compilers and linkers in a cross-platform manner. It was motivated by the Module::Build project, but may be useful for other purposes as well. However, it is not intended as a general cross-platform interface to all your C building needs. That would have been a much more ambitious goal!

METHODS

new

Returns a new ExtUtils::CBuilder object. A config parameter lets you override Config.pm settings for all operations performed by the object, as in the following example:

# Use a different compiler than Config.pm says
my $b = ExtUtils::CBuilder->new( config =>
                                 { ld => 'gcc' } );

A quiet parameter tells CBuilder to not print its system() commands before executing them:

# Be quieter than normal
my $b = ExtUtils::CBuilder->new( quiet => 1 );
have_compiler

Returns true if the current system has a working C compiler and linker, false otherwise. To determine this, we actually compile and link a sample C library. The sample will be compiled in the system tempdir or, if that fails for some reason, in the current directory.

have_cplusplus

Just like have_compiler but for C++ instead of C.

compile

Compiles a C source file and produces an object file. The name of the object file is returned. The source file is specified in a source parameter, which is required; the other parameters listed below are optional.

object_file

Specifies the name of the output file to create. Otherwise the object_file() method will be consulted, passing it the name of the source file.

include_dirs

Specifies any additional directories in which to search for header files. May be given as a string indicating a single directory, or as a list reference indicating multiple directories.

extra_compiler_flags

Specifies any additional arguments to pass to the compiler. Should be given as a list reference containing the arguments individually, or if this is not possible, as a string containing all the arguments together.

C++

Specifies that the source file is a C++ source file and sets appropriate compiler flags

The operation of this method is also affected by the archlibexp, cccdlflags, ccflags, optimize, and cc entries in Config.pm.

Invokes the linker to produce a library file from object files. In scalar context, the name of the library file is returned. In list context, the library file and any temporary files created are returned. A required objects parameter contains the name of the object files to process, either in a string (for one object file) or list reference (for one or more files). The following parameters are optional:

lib_file

Specifies the name of the output library file to create. Otherwise the lib_file() method will be consulted, passing it the name of the first entry in objects.

module_name

Specifies the name of the Perl module that will be created by linking. On platforms that need to do prelinking (Win32, OS/2, etc.) this is a required parameter.

extra_linker_flags

Any additional flags you wish to pass to the linker.

On platforms where need_prelink() returns true, prelink() will be called automatically.

The operation of this method is also affected by the lddlflags, shrpenv, and ld entries in Config.pm.

Invokes the linker to produce an executable file from object files. In scalar context, the name of the executable file is returned. In list context, the executable file and any temporary files created are returned. A required objects parameter contains the name of the object files to process, either in a string (for one object file) or list reference (for one or more files). The optional parameters are the same as link with exception for

exe_file

Specifies the name of the output executable file to create. Otherwise the exe_file() method will be consulted, passing it the name of the first entry in objects.

object_file
my $object_file = $b->object_file($source_file);

Converts the name of a C source file to the most natural name of an output object file to create from it. For instance, on Unix the source file foo.c would result in the object file foo.o.

lib_file
my $lib_file = $b->lib_file($object_file);

Converts the name of an object file to the most natural name of a output library file to create from it. For instance, on Mac OS X the object file foo.o would result in the library file foo.bundle.

exe_file
my $exe_file = $b->exe_file($object_file);

Converts the name of an object file to the most natural name of an executable file to create from it. For instance, on Mac OS X the object file foo.o would result in the executable file foo, and on Windows it would result in foo.exe.

On certain platforms like Win32, OS/2, VMS, and AIX, it is necessary to perform some actions before invoking the linker. The ExtUtils::Mksymlists module does this, writing files used by the linker during the creation of shared libraries for dynamic extensions. The names of any files written will be returned as a list.

Several parameters correspond to ExtUtils::Mksymlists::Mksymlists() options, as follows:

 Mksymlists()   prelink()          type
-------------|-------------------|-------------------
 NAME        |  dl_name          | string (required)
 DLBASE      |  dl_base          | string
 FILE        |  dl_file          | string
 DL_VARS     |  dl_vars          | array reference
 DL_FUNCS    |  dl_funcs         | hash reference
 FUNCLIST    |  dl_func_list     | array reference
 IMPORTS     |  dl_imports       | hash reference
 VERSION     |  dl_version       | string

Please see the documentation for ExtUtils::Mksymlists for the details of what these parameters do.

Returns true on platforms where prelink() should be called during linking, and false otherwise.

Returns list of extra arguments to give to the link command; the arguments are the same as for prelink(), with addition of array reference to the results of prelink(); this reference is indexed by key prelink_res.

TO DO

Currently this has only been tested on Unix and doesn't contain any of the Windows-specific code from the Module::Build project. I'll do that next.

HISTORY

This module is an outgrowth of the Module::Build project, to which there have been many contributors. Notably, Randy W. Sims submitted lots of code to support 3 compilers on Windows and helped with various other platform-specific issues. Ilya Zakharevich has contributed fixes for OS/2; John E. Malmberg and Peter Prymmer have done likewise for VMS.

SUPPORT

ExtUtils::CBuilder is maintained as part of the Perl 5 core. Please submit any bug reports via the perlbug tool included with Perl 5. Bug reports will be included in the Perl 5 ticket system at https://rt.perl.org.

The Perl 5 source code is available at https://perl5.git.perl.org/perl.git and ExtUtils-CBuilder may be found in the dist/ExtUtils-CBuilder directory of the repository.

AUTHOR

Ken Williams, kwilliams@cpan.org

Additional contributions by The Perl 5 Porters.

COPYRIGHT

Copyright (c) 2003-2005 Ken Williams. All rights reserved.

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

SEE ALSO

perl(1), Module::Build(3)