Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
NA
CVSSv3

CVE-2024-56406

CVSSv4: NA | CVSSv3: NA | CVSSv2: NA | VMScore: NA | EPSS: 0.00015 | KEV: Not Included
Published: 13/04/2025 Updated: 15/04/2025

Vulnerability Summary

Heap Buffer Overflow in Perl Versions 5.33.1-5.41.10 via Transcription Operator

A heap buffer overflow vulnerability exists in Perl versions 5.34, 5.36, 5.38, 5.40, and development versions from 5.33.1 through 5.41.10. The issue occurs in the `S_do_trans_invmap` function when non-ASCII bytes are present in the left-hand-side of the `tr` operator, causing an overflow of the destination pointer `d`. A proof-of-concept demonstrates the vulnerability by creating a large string with a specific byte and performing a translation, which results in a segmentation fault. Researchers believe this vulnerability could potentially enable Denial of Service and possibly Code Execution attacks on vulnerable systems with insufficient protections.

Vulnerability Trend

Mailing Lists

Full Disclosure: Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
On 2025-04-13 16:47, Solar Designer wrote: [] Hi Alexander, Thank you for the feedback We only considered release branches for the affected versions To fix this, the CVE record has been updated to take into account development versions and release candidates: Versions: from 5410 through 54110 from 5390 before ...
Full Disclosure: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
======================================================================== CVE-2024-56406 CPAN Security Group ======================================================================== CVE ID: CVE-2024-56406 Distribution: perl Versions: from 5400 until 5402 from 5380 until ...
Full Disclosure: Re: CVE-2024-56406: Perl 5.34, 5.36, 5.38 and 5.40 are vulnerable to a heap buffer overflow when transliterating non-ASCII bytes
Hi Stig, Thank you for handling this disclosure so well! On Sun, Apr 13, 2025 at 03:23:25PM +0200, Stig Palmquist wrote: Running this command on distro packages based on 5321 (like in EL9) does not segfault (produces no output), which is as expected for a version that didn't yet have the bug (and assuming no bug backport) As it was mentio ...

References

CWE-122CWE-787https://nvd.nist.govhttps://seclists.org/oss-sec/2025/q2/50https://www.first.org/epsshttps://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patchhttps://metacpan.org/release/SHAY/perl-5.38.4/changeshttps://metacpan.org/release/SHAY/perl-5.40.2/changeshttp://www.openwall.com/lists/oss-security/2025/04/13/3http://www.openwall.com/lists/oss-security/2025/04/13/4http://www.openwall.com/lists/oss-security/2025/04/13/5
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
CVE-2025-39551hard-codedtype confusionmarkus drubbaCVE-2025-24054broken links removerCVE-2025-39567anthologizeCVE-2025-31201CVE-2025-29454file uploadCVE-2025-39558momen2009
Home
/
Search Results
/
CVE-2024-56406
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook