Fluid Attacks Database

Description

HTML::Entities versions before 3.84 for Perl read freed heap memory in _decode_entities. The XS routine backing HTML::Entities::_decode_entities cached a pointer (repl) into the entity-value SV returned by hv_fetch on the entity2char hash. When the input SV was identical to a value SV in that hash, and that value contained its own key as an entity reference, a later call to grow_gap() reallocated the SV's PV buffer and freed the backing allocation that repl still pointed into. The subsequent copy loop read repl_len bytes from the freed allocation. The read may disclose adjacent heap contents into the destination SV.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	libhtml-parser-perl	=3.75-1 \|\| =3.76-1 \|\| =3.77-1 \|\| =3.78-1 \|\| =3.79-1 \|\| =3.80-1 \|\| =3.81-1 \|\| =3.82-1 \|\| =3.83-1 \|\| =3.83-2
debian 12	libhtml-parser-perl	=3.81-1 \|\| =3.82-1 \|\| =3.83-1 \|\| =3.83-2
debian 13	libhtml-parser-perl	=3.83-1 \|\| =3.83-2
debian 14	libhtml-parser-perl	=3.83-1 \|\| =3.83-2

Aliases

1. CVE-2026-88292. NVD-2026-88293. OSV-DEBIAN-2026-88294. OSV-2026-88295. SECURITY-TRACKER-CVE-2026-8829

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.