CVE-2024-56406: 
NixOS vulnerability analysis and mitigation

A heap buffer overflow vulnerability (CVE-2024-56406) was discovered in Perl, affecting release branches 5.34, 5.36, 5.38, and 5.40, including development versions from 5.33.1 through 5.41.10. The vulnerability was discovered by Nathan Mills and disclosed on April 13, 2025 (OSS-Security).

The vulnerability occurs when there are non-ASCII bytes in the left-hand-side of the tr operator, where the S_do_trans_invmap function can overflow the destination pointer d. This can be demonstrated with the following proof of concept: perl -e '$_ = "\x{FF}" x 1000000; tr/\xFF/\x{100}/;' which results in a segmentation fault. The vulnerability has been assigned a CVSS v3.1 base score of 8.6 (High) (CISA-ADP).

The vulnerability can enable Denial of Service (DoS) attacks and potentially lead to code execution on platforms that lack sufficient defenses. The impact is particularly concerning for shared hosting environments, server-side Perl scripts handling untrusted input, and legacy systems with weak memory protection models (Security Online).

Users are strongly recommended to update Perl to versions 5.40.2 or 5.38.4, which contain the necessary patches to address the vulnerability. Alternatively, users can apply the upstream patch directly (OSS-Security, Perl Patch).