Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib.
Compress::Raw::Zlib is included in the Perl package as a dual-life core module, and is vulnerable to CVE-2026-3381 due to a vendored version of zlib which has several vulnerabilities, including CVE-2026-27171. The bundled Compress::Raw::Zlib was updated to version 2.221 in Perl blead commit c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
References 7
https://github.com/Perl/perl5/commit/c75ae9cc164205e1b6d6dbd57bd2c65c8593fe94
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://lists.security.metacpan.org/cve-announce/msg/37638919/
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/PMQS/Compress-Raw-Zlib-2.221/source/Changes
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/SHAY/perl-5.40.4/changes
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/release/SHAY/perl-5.42.2/changes
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://www.cve.org/CVERecord?id=CVE-2026-3381
9b29abf9-4ab0-4765-b253-1875cd9b441e
http://www.openwall.com/lists/oss-security/2026/03/30/2
af854a3a-2127-422b-91ae-364da2661108