Perl
CVE-2026-57432
HIGH
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Requires the app to build a pack/unpack template from untrusted input (uncommon, so AC:H); primitive is a read-only heap disclosure so C:H, I:N, and only possible crash gives A:L.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack.
S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds.
A template derived from untrusted input can read heap memory past the buffer and return it to the caller.
AnalysisAI
Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the application to construct a pack or unpack template from attacker-influenced input - specifically an oversized item repeat count - combined with use of the @, X, or x position codes that perform signed-length pointer moves; running Perl at or below version 5.43.10. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant scrutiny. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A Perl web service builds a pack/unpack template from client-supplied parameters (for example, a binary-protocol parser that lets the caller specify field repeat counts). An attacker submits a template containing an enormous repeat count together with a @, X, or x position code, overflowing the size total; the interpreter then reads heap memory past the buffer and returns those bytes in the response, leaking secrets such as keys or other users' data. … |
| Remediation | Upgrade to a Perl release that incorporates the upstream fixes; the corrections were committed by the Perl maintainers (commits 5f7eb6bbbe0510964e3fb1d6bb691e5445913e55 and 40754edc72dd3e513d758153c0e2f0215897740e) which add an overflow check in S_measure_struct that croaks with 'Pack template structure size is too large' when len*size or total+len*size would exceed SSize_t_MAX. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all systems and applications running Perl through version 5.43.10 and assess which are exposed in production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly hand
Stack-based buffer overflow in the CPerlHost::Add method in win32/perlhost.h in Perl before 5.24.3-RC1 and 5.26.x before
The VDir::MapPathA and VDir::MapPathW functions in Perl 5.22 allow remote attackers to cause a denial of service (out-of
Perl before 5.26.3 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Rated
Perl before 5.26.3 and 5.28.0 before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid
Perl before 5.26.3 has a buffer over-read via a crafted regular expression that triggers disclosure of sensitive informa
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate e
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. Rated high severity (CVS
The XSLoader::load method in XSLoader in Perl does not properly locate .so files when called in a string eval, which mig
In Perl through 5.26.2, the Archive::Tar module allows remote attackers to bypass a directory-traversal protection mecha
The (1) S_reghop3, (2) S_reghop4, and (3) S_reghopmaybe3 functions in regexec.c in Perl before 5.24.0 allow context-depe
Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 before 5.24.3-RC1 and 5.26.x before 5.26.1-RC1 al
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today