Is CVE-2021-36770 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 1%.

What products does CVE-2021-36770 affect?

Tracked products affected include Perl. Check the version you run to see whether it is affected.

How do I fix CVE-2021-36770?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2021-36770

Q: What is CVE-2021-36770?

CVE-2021-36770 is a high-severity software vulnerability (CWE-427) with a CVSS score of 7.8. Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual

HIGH severity · CVSS 7.8 · CWE-427

7.8CVSS HIGH

Summary

Encode.pm, as distributed in Perl through 5.34.0, allows local users to gain privileges via a Trojan horse Encode::ConfigLocal library (in the current working directory) that preempts dynamic module loading. Exploitation requires an unusual configuration, and certain 2021 versions of Encode.pm (3.05 through 3.11). This issue occurs because the || operator evaluates @INC in a scalar context, and thus @INC has only an integer value.

Impact & exploitability

Attack vectorLocal

Attack complexityLow

Privileges requiredNone

User interactionRequired

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)1%

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products we track (1)

Perl

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://github.com/Perl/perl5/commit/c1a937fef07c061600a0078f4cb53fe9c2136bb9 ↗

CVE-2021-36770

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information