CVE-2024-56406

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-56406

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56406.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-56406

Downstream

ALPINE-CVE-2024-56406

BELL-CVE-2024-56406

DEBIAN-CVE-2024-56406

DSA-5902-1

MINI-9chw-ggjf-xhp4

MINI-9g43-q5q5-gw9j

MINI-rchm-g487-qw2c

OESA-2025-1470

OESA-2025-1471

OESA-2025-1472

OESA-2025-1473

RHSA-2025:7500

RLSA-2025:7500

UBUNTU-CVE-2024-56406

USN-7434-1

USN-7434-2

openSUSE-SU-2025:15003-1

Related

Published

2025-04-13T14:15:14.527Z

Modified

2026-02-13T08:45:33.722033Z

Severity

8.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A heap buffer overflow vulnerability was discovered in Perl.

Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10.

When there are non-ASCII bytes in the left-hand-side of the tr operator, S_do_trans_invmap can overflow the destination pointer d.

$ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' Segmentation fault (core dumped)

It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.

References

Affected packages

Git / github.com/perl/perl5

Affected ranges

Type: GIT
Repo: https://github.com/perl/perl5
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd

Introduced

aec03eb052e5786cf01d615cc5eb8e3d528c0fcd

Fixed

2e0f6a60c12ff9b5fd18e5a18d350b4366ea12b7

Introduced

b69b5077393db9b8ffa440eba15b27073cbac617

Fixed

546f65a086129e4158cff53a40c724d6952f3ed6

Affected versions

v5.*

v5.33.1

v5.33.2

v5.33.3

v5.33.4

v5.33.5

v5.33.6

v5.33.7

v5.33.8

v5.33.9

v5.34.0

v5.34.0-RC1

v5.34.0-RC2

v5.35.0

v5.35.1

v5.35.10

v5.35.11

v5.35.2

v5.35.3

v5.35.4

v5.35.5

v5.35.6

v5.35.7

v5.35.8

v5.35.9

v5.36.0

v5.36.0-RC1

v5.36.0-RC3

v5.37.0

v5.37.1

v5.37.10

v5.37.11

v5.37.2

v5.37.3

v5.37.4

v5.37.5

v5.37.6

v5.37.7

v5.37.8

v5.37.9

v5.38.0

v5.38.0-RC1

v5.38.0-RC2

v5.38.1

v5.38.2

v5.38.3

v5.38.3-RC1

v5.38.4-RC1

v5.39.0

v5.39.1

v5.39.10

v5.39.2

v5.39.3

v5.39.4

v5.39.5

v5.39.6

v5.39.7

v5.39.8

v5.39.9

v5.40.0

v5.40.0-RC1

v5.40.0-RC2

v5.40.1

v5.40.1-RC1

v5.40.2-RC1

v5.41.0

v5.41.1

v5.41.10

v5.41.2

v5.41.3

v5.41.4

v5.41.5

v5.41.6

v5.41.7

v5.41.8

v5.41.9

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "op.c",
            "function": "S_pmtrans"
        },
        "digest": {
            "length": 13728.0,
            "function_hash": "103498168550110636723907425407205223783"
        },
        "id": "CVE-2024-56406-17f9d390",
        "source": "https://github.com/perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "op.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "189586818232990660262111173185107192330",
                "321624929067096723080303988807375853448",
                "308843707930518695019406321178223426241",
                "156431593218724535804723157254102277155"
            ]
        },
        "id": "CVE-2024-56406-eaa69e21",
        "source": "https://github.com/perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd",
        "signature_type": "Line"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56406.json"