Search for vulnerabilities
Vulnerability details: VCID-tnb2-6jhr-z3gx
Vulnerability ID VCID-tnb2-6jhr-z3gx
Aliases CVE-2024-56406
Summary A heap buffer overflow vulnerability was discovered in Perl. Release branches 5.34, 5.36, 5.38 and 5.40 are affected, including development versions from 5.33.1 through 5.41.10. When there are non-ASCII bytes in the left-hand-side of the `tr` operator, `S_do_trans_invmap` can overflow the destination pointer `d`.    $ perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;'    Segmentation fault (core dumped) It is believed that this vulnerability can enable Denial of Service and possibly Code Execution attacks on platforms that lack sufficient defenses.
Status Published
Exploitability 0.5
Weighted Severity 7.7
Risk 3.9
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-122 Heap-based Buffer Overflow
CWE-787 Out-of-bounds Write
System Score Found at
cvssv3 7.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56406.json
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00053 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00075 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00175 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.00183 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
epss 0.0021 https://api.first.org/data/v1/epss?cve=CVE-2024-56406
cvssv3.1 8.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 8.6 https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
ssvc Track https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
cvssv3.1 8.6 https://metacpan.org/release/SHAY/perl-5.38.4/changes
ssvc Track https://metacpan.org/release/SHAY/perl-5.38.4/changes
cvssv3.1 8.6 https://metacpan.org/release/SHAY/perl-5.40.2/changes
ssvc Track https://metacpan.org/release/SHAY/perl-5.40.2/changes
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56406.json
https://api.first.org/data/v1/epss?cve=CVE-2024-56406
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
https://metacpan.org/release/SHAY/perl-5.38.4/changes
https://metacpan.org/release/SHAY/perl-5.40.2/changes
http://www.openwall.com/lists/oss-security/2025/04/13/3
http://www.openwall.com/lists/oss-security/2025/04/13/4
http://www.openwall.com/lists/oss-security/2025/04/13/5
2359290 https://bugzilla.redhat.com/show_bug.cgi?id=2359290
cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:perl:perl:*:*:*:*:*:*:*:*
CVE-2024-56406 https://nvd.nist.gov/vuln/detail/CVE-2024-56406
RHSA-2025:7500 https://access.redhat.com/errata/RHSA-2025:7500
USN-7434-1 https://usn.ubuntu.com/7434-1/
USN-7434-2 https://usn.ubuntu.com/7434-2/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-56406.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-18T16:49:08Z/ Found at https://github.com/Perl/perl5/commit/87f42aa0e0096e9a346c9672aa3a0bd3bef8c1dd.patch
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://metacpan.org/release/SHAY/perl-5.38.4/changes
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-18T16:49:08Z/ Found at https://metacpan.org/release/SHAY/perl-5.38.4/changes
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Found at https://metacpan.org/release/SHAY/perl-5.40.2/changes
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-18T16:49:08Z/ Found at https://metacpan.org/release/SHAY/perl-5.40.2/changes
Exploit Prediction Scoring System (EPSS)
Percentile 0.01835
EPSS Score 0.00015
Published At April 17, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-04-11T14:05:18.704629+00:00 SUSE Severity Score Importer Import https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml 36.0.0