CVE-2026-8829: HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities
HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 3.84
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A use-after-free read vulnerability affects HTML::Entities for Perl in versions before 3.84. The flaw is reachable over the network with no authentication required, triggered when attacker-controlled HTML input causes the XS routine _decode_entities to read from a freed heap buffer. Successful exploitation discloses adjacent heap memory contents to the caller, which may include sensitive in-process data. A patched-image rebuild at version 3.84 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-8829 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including CPANSec) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that vendor the HTML::Entities library directly.
AvailableHarborGuard scores this CVE at CVSS 7.5 HIGH and is capable of weighting that score against each environment's compliance policy to determine breach of SLA thresholds; findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableA patched-image rebuild at HTML::Entities 3.84 is available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The affected HTML::Entities decode routine is typically invoked on network-supplied input, so an attacker can trigger the flaw by sending crafted HTML over the network to any application that decodes entities from untrusted input.
- AuthenticationNot required
No authentication is needed; the CVSS vector specifies PR:N, meaning any unauthenticated request carrying malicious entity references is sufficient to trigger the bug.
- Victim interactionNot required
No victim action is required; the application processes the malicious input autonomously as part of normal HTML entity decoding.
- Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and imposes no special pre-conditions such as race windows or specific memory layout requirements.
Blast Radius
- An attacker reads raw bytes from heap memory adjacent to the freed buffer, which may include cached strings, session tokens, or other in-process data handled by the Perl interpreter.
- Disclosed heap contents can be returned inside the decoded output SV and transmitted back to the attacker in an application response, depending on how the caller uses the return value.
- There is no integrity or availability impact; the vulnerability is confined to unauthorized memory reads.
How HarborGuard Handles This
Available on HarborGuard: any image containing HTML::Entities earlier than 3.84 is flagged immediately upon CVE ingestion, which occurs within minutes of CPANSec publication. Where compliance policy permits, a rebuilt image pinned to HTML::Entities 3.84 becomes available; for customers with auto-remediation enabled, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads (median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled). For environments that cannot upgrade immediately, consider isolating services that process untrusted HTML behind a network policy that restricts inbound input sources, and review whether decoded entity values are reflected back in responses in a way that would expose heap contents to external callers.
- OALDERS / HTML::Entities< 3.84 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N