Skip to main content

Storable

1 CVEs product

Monthly

CVE-2026-57433 CRITICAL PATCH Act Now

Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.

Deserialization Integer Overflow Storable
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.

Deserialization Integer Overflow Storable
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy