CVE-2026-12087
Deferred Deferred - Pending Action

Heap Out-of-Bounds Read in Perl Socket Module

Vulnerability report for CVE-2026-12087, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: CPANSec

Description

Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perl socket to 2.041 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-805 The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Socket versions before 2.041 for Perl and involves an out-of-bounds heap read.

Specifically, in the function pack_ip_mreq_source() within Socket.xs, the length check for the source argument is incorrectly performed using the byte length from a preceding multiaddr argument instead of the source argument itself.

Because both addresses occupy a 4-byte field, a valid multiaddr allows a source of any length to pass the check. The source is then copied into a fixed-size 4-byte field (imr_sourceaddr) without proper validation.

If the source is shorter than 4 bytes, the copy operation reads up to 3 bytes beyond the end of the source buffer, causing an out-of-bounds heap read and copying adjacent heap memory into the returned packed structure.

Impact Analysis

This vulnerability can lead to the exposure of adjacent heap memory contents when the function pack_ip_mreq_source() is called with a source argument shorter than 4 bytes.

An attacker might exploit this to read sensitive information from memory that should not be accessible, potentially leading to information disclosure.

However, since this is an out-of-bounds read and not a write, it does not directly allow code execution or memory corruption.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the Perl Socket module to version 2.041 or later.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart