CVE-2009-3626
CVE-2009-3626 is a medium-severity vulnerability in Perl with a CVSS 2.0 base score of 5.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.
Key facts
- Severity: Medium (CVSS 2.0 base score 5.0)
- EPSS exploit prediction: 2% (80th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Perl
- Published:
- Last modified:
Description
Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.
Frequently asked questions
- What is CVE-2009-3626?
- Perl 5.10.1 allows context-dependent attackers to cause a denial of service (application crash) via a UTF-8 character with a large, invalid codepoint, which is not properly handled during a regular-expression match.
- How severe is CVE-2009-3626?
- CVE-2009-3626 has a CVSS 2.0 base score of 5.0, rated medium severity.
- Is CVE-2009-3626 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2009-3626?
- CVE-2009-3626 affects Perl. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2009-3626?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2009-3626 published?
- CVE-2009-3626 was published on 2009-10-29 and last updated on 2026-06-16.
References
- http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4
- http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973
- http://rt.perl.org/rt3/Ticket/Attachment/617489/295383/
- http://secunia.com/advisories/37144
- http://securitytracker.com/id?1023077
- http://www.openwall.com/lists/oss-security/2009/10/23/8
- http://www.osvdb.org/59283
- http://www.securityfocus.com/bid/36812
- http://www.vupen.com/english/advisories/2009/3023
- https://exchange.xforce.ibmcloud.com/vulnerabilities/53939
- https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6225
Affected products (1)
- cpe:2.3:a:perl:perl:5.10.1:*:*:*:*:*:*:*
More vulnerabilities in Perl
- CVE-2026-8376 — Critical (CVSS 9.8): Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed…
- CVE-2026-4176 — Critical (CVSS 9.8): Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a…
- CVE-2022-48522 — Critical (CVSS 9.8): In Perl 5.34.0, function S_find_uninit_var in sv.c has a stack-based crash that can lead to remote code execution or…
- CVE-2018-18314 — Critical (CVSS 9.8): Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations.
- CVE-2018-18311 — Critical (CVSS 9.8): Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers…
- CVE-2018-18312 — Critical (CVSS 9.8): Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers…