CVE-2026-12087
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: CPANSec

Description
Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-12087
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-805 The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Socket versions before 2.041 for Perl and involves an out-of-bounds heap read.

Specifically, in the function pack_ip_mreq_source() within Socket.xs, the length check for the source argument is incorrectly performed using the byte length from a preceding multiaddr argument instead of the source argument itself.

Because both addresses occupy a 4-byte field, a valid multiaddr allows a source of any length to pass the check. The source is then copied into a fixed-size 4-byte field (imr_sourceaddr) without proper validation.

If the source is shorter than 4 bytes, the copy operation reads up to 3 bytes beyond the end of the source buffer, causing an out-of-bounds heap read and copying adjacent heap memory into the returned packed structure.

Impact Analysis

This vulnerability can lead to the exposure of adjacent heap memory contents when the function pack_ip_mreq_source() is called with a source argument shorter than 4 bytes.

An attacker might exploit this to read sensitive information from memory that should not be accessible, potentially leading to information disclosure.

However, since this is an out-of-bounds read and not a write, it does not directly allow code execution or memory corruption.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade the Perl Socket module to version 2.041 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart