CVE-2023-47038 – This vulnerability in Perl allows an attacker t... (How to Fix)

Q: What is the severity of CVE-2023-47038?

CVE-2023-47038 has a CVSS score of 7.0 (HIGH). This vulnerability in Perl allows an attacker to trigger a heap buffer overflow by providing a malicious regular expression. Systems running affected Perl versions (5.30.0 through 5.38.0) that process untrusted regular expressions are vulnerable, potentially leading to arbitrary code execution or denial of service.

📋 TL;DR

This vulnerability in Perl allows an attacker to trigger a heap buffer overflow by providing a malicious regular expression. Systems running affected Perl versions (5.30.0 through 5.38.0) that process untrusted regular expressions are vulnerable, potentially leading to arbitrary code execution or denial of service.

💻 Affected Systems

Products:

perl

Versions: 5.30.0 through 5.38.0

Operating Systems: Linux, Unix-like systems, Windows if Perl is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Any application or script using Perl's regular expression engine with affected versions is vulnerable when processing untrusted input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Perl process, potentially leading to complete system compromise.

🟠

Likely Case

Denial of service through application crashes or memory corruption, disrupting services that use Perl for regular expression processing.

🟢

If Mitigated

Limited impact if regular expressions are only processed from trusted sources or if the Perl process runs with minimal privileges.

🌐 Internet-Facing: MEDIUM - Exploitation requires the ability to supply crafted regular expressions to vulnerable Perl applications, which may be exposed through web interfaces or APIs.

🏢 Internal Only: LOW - Internal systems typically process trusted data, but risk exists if they handle user-supplied regular expressions from internal sources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a specific regular expression to trigger the buffer overflow, which may be complex but feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Perl 5.38.2 or later, or backported patches in distributions like Red Hat and Debian

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-47038

Restart Required: Yes

Instructions:

1. Update Perl to version 5.38.2 or later from official sources. 2. For Linux distributions, use package manager: 'sudo yum update perl' (RHEL/CentOS) or 'sudo apt update && sudo apt upgrade perl' (Debian/Ubuntu). 3. Restart any services or applications using Perl.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all regular expression inputs from untrusted sources to prevent malicious patterns.

Privilege Reduction

linux

Run Perl processes with minimal privileges (e.g., non-root users) to limit impact if exploitation occurs.

sudo -u nobody perl script.pl

🧯 If You Can't Patch

Isolate vulnerable systems from untrusted networks and restrict access to only trusted users.
Monitor for unusual process crashes or memory usage in Perl applications as indicators of potential exploitation.

🔍 How to Verify

Check if Vulnerable:

Run 'perl -v' to check the version. If it's between 5.30.0 and 5.38.0 inclusive, the system is vulnerable.

Check Version:

perl -v | head -2

Verify Fix Applied:

After patching, run 'perl -v' to confirm the version is 5.38.2 or later, or check with 'rpm -q perl' (RHEL) or 'dpkg -l perl' (Debian) for updated package versions.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from Perl processes
Unusual memory allocation errors in application logs

Network Indicators:

Unexpected network traffic to Perl-based services with crafted payloads

SIEM Query:

source="*perl*" AND ("segmentation fault" OR "buffer overflow" OR "memory corruption")

📊 Metadata

CVE ID: CVE-2023-47038

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: December 18, 2023

Last Updated: November 4, 2025

🔗 References

https://access.redhat.com/errata/RHSA-2024:2228 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:3128 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-47038 Broken Link,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746 Mailing List,Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2249523 Issue Tracking,Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:2228 Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:3128 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-47038 Broken Link,Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746 Mailing List,Patch
https://bugzilla.redhat.com/show_bug.cgi?id=2249523 Issue Tracking,Third Party Advisory
https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010
https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6
https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3
https://github.com/aquasecurity/trivy/discussions/8400
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMDZZ4SCEW6FRWZDMXGAKZ35THTAWFG6/
https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property Vendor Advisory
https://ubuntu.com/security/CVE-2023-47100
https://www.suse.com/security/cve/CVE-2023-47100.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47038, you might also want to check these: