Critical Vulnerability in Perl Core Modules Leaves Systems Exposed

A high-severity security flaw has been identified within the core of the Perl programming language. Designated as CVE-2026-4176, the vulnerability carries a CVSS score of 9.8, highlighting a critical risk to systems that rely on Perl’s built-in compression capabilities.

The issue stems from a classic supply chain vulnerability: CWE-1395, or the dependency on a vulnerable third-party component. Specifically, multiple versions of Perl—ranging from 5.9.4 all the way to recent releases in the 5.43.0 branch—ship with a compromised version of the Compress::Raw::Zlib module.

This module is what is known as a “dual-life” core module, meaning it is included in the standard Perl package but also maintained independently. The core of the problem is a “vendored” version of the zlib library bundled within the module. This internal zlib copy is plagued by several flaws, including CVE-2026-3381 and CVE-2026-27171, which can lead to severe system compromise if exploited.

The vulnerability spans a wide range of Perl versions, making it a significant concern for legacy systems and modern deployments alike:

• Perl 5.9.4 through 5.40.4-RC1
• Perl 5.41.0 through 5.42.2-RC1
• Perl 5.43.0 through 5.43.9

Certain operating system distributions patch their Perl packages to use the system zlib instead of the vulnerable vendored copy. Users on these platforms may be safe if their system-level zlib has been updated to version 1.3.2 or later.

The most effective way to eliminate this risk is a full language update. Security experts recommend moving to the latest stable releases:

Update to Perl 5.40.4, 5.42.2, or later, as these versions include the patched Compress::Raw::Zlib 2.222.

For organizations that cannot immediately upgrade their entire Perl environment, a manual workaround is available. You can install Compress::Raw::Zlib 2.220 or later directly into your @INC include path. This ensures the updated, secure version takes precedence over the vulnerable module shipped with the core language.