Skip to main content

Perl CVE-2026-57432

HIGH
Integer Overflow or Wraparound (CWE-190)
2026-07-13 CPANSec
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.5 MEDIUM

Requires the app to build a pack/unpack template from untrusted input (uncommon, so AC:H); primitive is a read-only heap disclosure so C:H, I:N, and only possible crash gives A:L.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Source Code Evidence Fetched
Jul 14, 2026 - 14:23 vuln.today
Analysis Generated
Jul 14, 2026 - 14:23 vuln.today
CVSS changed
Jul 14, 2026 - 14:22 NVD
8.4 (HIGH)
CVE Published
Jul 13, 2026 - 15:38 cve.org
HIGH 8.4
CVE Published
Jul 13, 2026 - 15:38 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack.

S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds.

A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

AnalysisAI

Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply attacker-controlled pack/unpack template
Delivery
Embed oversized item repeat count
Exploit
len*size overflows signed SSize_t total negative
Execution
@/X/x signed length guard passes on negative value
Persist
Buffer pointer advances out of bounds
Impact
Adjacent heap memory read and returned to caller

Vulnerability AssessmentAI

Exploitation Exploitation requires the application to construct a pack or unpack template from attacker-influenced input - specifically an oversized item repeat count - combined with use of the @, X, or x position codes that perform signed-length pointer moves; running Perl at or below version 5.43.10. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Perl web service builds a pack/unpack template from client-supplied parameters (for example, a binary-protocol parser that lets the caller specify field repeat counts). An attacker submits a template containing an enormous repeat count together with a @, X, or x position code, overflowing the size total; the interpreter then reads heap memory past the buffer and returns those bytes in the response, leaking secrets such as keys or other users' data. …
Remediation Upgrade to a Perl release that incorporates the upstream fixes; the corrections were committed by the Perl maintainers (commits 5f7eb6bbbe0510964e3fb1d6bb691e5445913e55 and 40754edc72dd3e513d758153c0e2f0215897740e) which add an overflow check in S_measure_struct that croaks with 'Pack template structure size is too large' when len*size or total+len*size would exceed SSize_t_MAX. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems and applications running Perl through version 5.43.10 and assess which are exposed in production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Perl

View all
CVE-2012-6329 HIGH POC
7.5 Jan 04

The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand

CVE-2017-12814 CRITICAL POC
9.8 Sep 28

Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before

CVE-2015-8608 CRITICAL POC
9.8 Feb 07

The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of

CVE-2018-18314 CRITICAL POC
9.8 Dec 07

Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated

CVE-2018-18312 CRITICAL POC
9.8 Dec 05

Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid

CVE-2018-18313 CRITICAL POC
9.1 Dec 07

Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa

CVE-2016-2381 HIGH
7.5 Apr 08

Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e

CVE-2023-31484 HIGH POC
8.1 Apr 29

CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS

CVE-2016-6185 HIGH POC
7.8 Aug 02

The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig

CVE-2018-12015 HIGH POC
7.5 Jun 07

In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha

CVE-2015-8853 HIGH
7.5 May 25

The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe

CVE-2017-12883 CRITICAL
9.1 Sep 19

Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al

Share

CVE-2026-57432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy