CVE-2026-4176Use of Unmaintained Third Party Components in Perl

CWE-1104Use of Unmaintained Third Party ComponentsCWE-1395Dependency on Vulnerable Third-Party Component9 documents8 sources
Severity
9.8CRITICALNVD
CNA2.9OSV5.5
EPSS
0.0%
top 93.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PerlShay Perl
Timeline
PublishedMar 29
Latest updateMar 30

Description

Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib. Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5shay/perl5.9.45.40.4-RC1+2
Alpineperl/perl< 0
Debianperl/perl< 5.10.0-21+3

🔴Vulnerability Details

4
OSV
CVE-2026-4176: Perl versions from 52026-03-29
OSV
CVE-2026-4176: Perl versions from 52026-03-29
CVEList
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib2026-03-29
GHSA
GHSA-q2q4-jjp8-f6m3: Perl versions from 52026-03-29

📋Vendor Advisories

2
Red Hat
Perl: Compress::Raw::Zlib: zlib: Perl: Multiple vulnerabilities due to an outdated vendored zlib library2026-03-29
Debian
CVE-2026-4176: perl - Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-4176 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-4176 perl: Perl: Multiple vulnerabilities due to an outdated vendored zlib library [fedora-42]2026-03-30