CVE-2026-4176: Perl Compress::Raw::Zlib Critical Vulnerability (CVSS 9.8)

Executive Summary

A critical vulnerability (CVE-2026-4176) has been disclosed affecting multiple Perl release branches. The flaw exists in Compress::Raw::Zlib, a dual-life core module that ships bundled with Perl, which contains a vulnerable vendored version of zlib susceptible to CVE-2026-3381. The vulnerability carries a CVSS score of 9.8 — the highest severity tier.

Affected Perl versions span three release branches: 5.9.4 through 5.40.3, 5.41.0 through 5.42.1, and 5.43.0 through 5.43.8. Because Compress::Raw::Zlib is a dual-life module (distributed both as part of Perl core and independently on CPAN), the vulnerable zlib code is present in a very wide range of Perl installations.

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-4176
CVSS Score	9.8 (Critical)
Root Cause	Vendored zlib in Compress::Raw::Zlib inherits CVE-2026-3381
Module	Compress::Raw::Zlib (dual-life Perl core module)
Attack Vector	Network
Privileges Required	None
User Interaction	None
Published	2026-03-29

Affected Versions

Perl Branch	Vulnerable Range	Fixed Version
Stable	5.9.4 – 5.40.3	5.40.4-RC1 and later
Development	5.41.0 – 5.42.1	5.42.2-RC1 and later
Experimental	5.43.0 – 5.43.8	5.43.9 and later

The Compress::Raw::Zlib module is also distributed independently on CPAN. Any installation of this module that bundles the affected zlib version is vulnerable regardless of the Perl version used.

Root Cause: Vendored zlib Dependency

Compress::Raw::Zlib provides a Perl XS interface to the zlib compression library. Rather than linking against a system-installed zlib, it ships with a vendored (embedded) copy of zlib source code. This copy is not always updated in sync with upstream zlib releases, creating a window where security fixes in zlib are not reflected in the Perl module.

CVE-2026-4176 specifically documents that the vendored zlib in the affected Compress::Raw::Zlib versions is vulnerable to CVE-2026-3381, a flaw in zlib itself. The precise nature of CVE-2026-3381 involves memory corruption in zlib's inflate or deflate routines — attackers supplying crafted compressed data to vulnerable Perl applications can trigger the underlying zlib flaw through the Compress::Raw::Zlib interface.

Why This Is Particularly Dangerous

The severity is amplified by several factors:

Ubiquity: Compress::Raw::Zlib is a core Perl module. It is present in virtually every Perl installation in the affected version ranges.
Transitive exposure: Hundreds of CPAN modules depend on Compress::Raw::Zlib (directly or via IO::Compress / Compress::Zlib). Applications that do not explicitly use compression may still be exposed through a dependency.
No privileges required: An attacker only needs to supply crafted compressed input — there is no authentication barrier.

Attack Surface

Any Perl application that processes compressed data from untrusted sources is potentially vulnerable:

Surface	Examples	Risk
Web applications	gzip-compressed HTTP request bodies, file uploads	High
Email processing	MIME attachments, compressed email bodies	High
Archive handling	Processing `.gz`, `.zip`, `.tgz` from user input	High
CI/CD pipelines	Extracting compressed artifacts from external sources	Medium
Package managers	CPAN tools processing compressed distribution archives	Medium
Log analysis	Applications reading compressed log archives	Medium

Remediation

1. Upgrade Perl

The definitive fix is upgrading to a patched Perl release:

# Check current Perl version
perl -v
 
# Upgrade via system package manager (Debian/Ubuntu)
apt update && apt install perl
 
# Upgrade via system package manager (RHEL/Fedora)
dnf update perl
 
# For manually compiled Perl: download from perl.org and rebuild

Target versions (patched):

Stable branch: 5.40.4 or later
Development branch: 5.42.2 or later
Experimental branch: 5.43.9 or later

2. Upgrade Compress::Raw::Zlib from CPAN

If upgrading Perl itself is not immediately feasible, upgrade the module independently:

# Upgrade Compress::Raw::Zlib via cpanm
cpanm Compress::Raw::Zlib
 
# Or via CPAN shell
perl -MCPAN -e 'install Compress::Raw::Zlib'
 
# Verify installed version
perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION, "\n"'

Note: Upgrading via CPAN will replace the vendored zlib with a version that includes the CVE-2026-3381 fix.

3. Input Validation (Temporary Mitigation)

While patching is in progress, restrict or validate compressed input at application entry points:

# Limit compressed input size to reduce attack surface
use constant MAX_COMPRESSED_SIZE => 10 * 1024 * 1024; # 10 MB
 
sub safe_decompress {
    my ($compressed_data) = @_;
    die "Input too large" if length($compressed_data) > MAX_COMPRESSED_SIZE;
    # proceed with decompression
}

4. Container and Image Updates

Update base images that bundle Perl:

# Identify containers using affected Perl versions
docker images --format "{{.Repository}}:{{.Tag}}" | while read img; do
    docker run --rm "$img" perl -v 2>/dev/null | grep -q "perl 5" && echo "Check: $img"
done
 
# Rebuild images after Perl upgrade
docker build --no-cache -t myapp:latest .

Detection

Indicator	Description
Perl version in affected range	Confirm with `perl -v` on all hosts
Compress::Raw::Zlib version	Check with `perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION'`
Segfaults in Perl processes	May indicate exploitation of the zlib memory corruption
Crash dumps referencing inflate/deflate	Signatures of zlib CVE-2026-3381 exploitation

Post-Remediation Steps

Audit all Perl installations across your environment — virtual machines, containers, CI/CD agents, serverless functions
Check CPAN dependencies for transitive Compress::Raw::Zlib usage: cpan-audit or carton with a security profile
Review application logs for unusual compression-related errors or crashes around the disclosure date
Update container base images that include Perl in their default packages
Monitor NVD and Perl security announcements for further details on CVE-2026-3381's exploitability when triggered via Compress::Raw::Zlib

References

Executive Summary

Vulnerability Overview

Attribute	Value
CVE ID	CVE-2026-4176
CVSS Score	9.8 (Critical)
Root Cause	Vendored zlib in Compress::Raw::Zlib inherits CVE-2026-3381
Module	Compress::Raw::Zlib (dual-life Perl core module)
Attack Vector	Network
Privileges Required	None
User Interaction	None
Published	2026-03-29

Affected Versions

Perl Branch	Vulnerable Range	Fixed Version
Stable	5.9.4 – 5.40.3	5.40.4-RC1 and later
Development	5.41.0 – 5.42.1	5.42.2-RC1 and later
Experimental	5.43.0 – 5.43.8	5.43.9 and later

The Compress::Raw::Zlib module is also distributed independently on CPAN. Any installation of this module that bundles the affected zlib version is vulnerable regardless of the Perl version used.

Root Cause: Vendored zlib Dependency

Why This Is Particularly Dangerous

The severity is amplified by several factors:

Ubiquity: Compress::Raw::Zlib is a core Perl module. It is present in virtually every Perl installation in the affected version ranges.
Transitive exposure: Hundreds of CPAN modules depend on Compress::Raw::Zlib (directly or via IO::Compress / Compress::Zlib). Applications that do not explicitly use compression may still be exposed through a dependency.
No privileges required: An attacker only needs to supply crafted compressed input — there is no authentication barrier.

Attack Surface

Any Perl application that processes compressed data from untrusted sources is potentially vulnerable:

Surface	Examples	Risk
Web applications	gzip-compressed HTTP request bodies, file uploads	High
Email processing	MIME attachments, compressed email bodies	High
Archive handling	Processing `.gz`, `.zip`, `.tgz` from user input	High
CI/CD pipelines	Extracting compressed artifacts from external sources	Medium
Package managers	CPAN tools processing compressed distribution archives	Medium
Log analysis	Applications reading compressed log archives	Medium

Remediation

1. Upgrade Perl

The definitive fix is upgrading to a patched Perl release:

# Check current Perl version
perl -v
 
# Upgrade via system package manager (Debian/Ubuntu)
apt update && apt install perl
 
# Upgrade via system package manager (RHEL/Fedora)
dnf update perl
 
# For manually compiled Perl: download from perl.org and rebuild

Target versions (patched):

Stable branch: 5.40.4 or later
Development branch: 5.42.2 or later
Experimental branch: 5.43.9 or later

2. Upgrade Compress::Raw::Zlib from CPAN

If upgrading Perl itself is not immediately feasible, upgrade the module independently:

# Upgrade Compress::Raw::Zlib via cpanm
cpanm Compress::Raw::Zlib
 
# Or via CPAN shell
perl -MCPAN -e 'install Compress::Raw::Zlib'
 
# Verify installed version
perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION, "\n"'

Note: Upgrading via CPAN will replace the vendored zlib with a version that includes the CVE-2026-3381 fix.

3. Input Validation (Temporary Mitigation)

While patching is in progress, restrict or validate compressed input at application entry points:

# Limit compressed input size to reduce attack surface
use constant MAX_COMPRESSED_SIZE => 10 * 1024 * 1024; # 10 MB
 
sub safe_decompress {
    my ($compressed_data) = @_;
    die "Input too large" if length($compressed_data) > MAX_COMPRESSED_SIZE;
    # proceed with decompression
}

4. Container and Image Updates

Update base images that bundle Perl:

# Identify containers using affected Perl versions
docker images --format "{{.Repository}}:{{.Tag}}" | while read img; do
    docker run --rm "$img" perl -v 2>/dev/null | grep -q "perl 5" && echo "Check: $img"
done
 
# Rebuild images after Perl upgrade
docker build --no-cache -t myapp:latest .

Detection

Indicator	Description
Perl version in affected range	Confirm with `perl -v` on all hosts
Compress::Raw::Zlib version	Check with `perl -MCompress::Raw::Zlib -e 'print $Compress::Raw::Zlib::VERSION'`
Segfaults in Perl processes	May indicate exploitation of the zlib memory corruption
Crash dumps referencing inflate/deflate	Signatures of zlib CVE-2026-3381 exploitation

Post-Remediation Steps

Audit all Perl installations across your environment — virtual machines, containers, CI/CD agents, serverless functions
Check CPAN dependencies for transitive Compress::Raw::Zlib usage: cpan-audit or carton with a security profile
Review application logs for unusual compression-related errors or crashes around the disclosure date
Update container base images that include Perl in their default packages
Monitor NVD and Perl security announcements for further details on CVE-2026-3381's exploitability when triggered via Compress::Raw::Zlib

CVE-2026-4176: Perl Compress::Raw::Zlib Critical Vulnerability (CVSS 9.8)

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Root Cause: Vendored zlib Dependency

Why This Is Particularly Dangerous

Attack Surface

Remediation

1. Upgrade Perl

2. Upgrade Compress::Raw::Zlib from CPAN

3. Input Validation (Temporary Mitigation)

4. Container and Image Updates

Detection

Post-Remediation Steps

References

CVE-2026-4177: YAML::Syck Heap Buffer Overflow Enables Remote Code Execution

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

CVE-2025-69902: Critical Command Injection in kubectl-mcp-server

CVE-2026-4176: Perl Compress::Raw::Zlib Critical Vulnerability (CVSS 9.8)

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Root Cause: Vendored zlib Dependency

Why This Is Particularly Dangerous

Attack Surface

Remediation

1. Upgrade Perl

2. Upgrade Compress::Raw::Zlib from CPAN

3. Input Validation (Temporary Mitigation)

4. Container and Image Updates

Detection

Post-Remediation Steps

References

CVE-2026-4177: YAML::Syck Heap Buffer Overflow Enables Remote Code Execution

CVE-2026-22172: OpenClaw Critical Authorization Bypass via WebSocket Scope Elevation

CVE-2025-69902: Critical Command Injection in kubectl-mcp-server

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Root Cause: Vendored zlib Dependency

Why This Is Particularly Dangerous

Attack Surface

Remediation

1. Upgrade Perl

2. Upgrade Compress::Raw::Zlib from CPAN

3. Input Validation (Temporary Mitigation)

4. Container and Image Updates

Detection

Post-Remediation Steps

References

Related Reading

Affected Products

Executive Summary

Vulnerability Overview

Affected Versions

Root Cause: Vendored zlib Dependency

Why This Is Particularly Dangerous

Attack Surface

Remediation

1. Upgrade Perl

2. Upgrade Compress::Raw::Zlib from CPAN

3. Input Validation (Temporary Mitigation)

4. Container and Image Updates

Detection

Post-Remediation Steps

References

Related Reading