CVE-2026-57433
Awaiting Analysis Awaiting Analysis - Queue

Integer Overflow in Perl Storable Module

Vulnerability report for CVE-2026-57433, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: CPANSec

Description

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and calls av_extend with that count plus one. A count of I32_MAX wraps the addition to a negative value. A crafted blob passed to thaw or retrieve triggers the overflow; av_extend receives the negative count and dies with a panic, terminating the deserialization.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
perl storable to 3.41 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can impact you in several ways if you are using an affected version of the Perl Storable module (versions before 3.41):

  • Denial of Service (DoS): An attacker can craft a malicious serialized blob that, when deserialized using `thaw` or `retrieve`, causes the application to crash or terminate unexpectedly. This can disrupt services or applications relying on Storable for data deserialization.
  • Data Integrity Risks: If the deserialization process is part of a critical workflow (e.g., loading configuration or user data), the abrupt termination could lead to incomplete or corrupted data processing, potentially causing logical errors or data loss.
  • Security Risks: While this specific vulnerability does not mention remote code execution, integer overflows can sometimes be chained with other vulnerabilities to escalate privileges or bypass security controls. It is important to patch the vulnerability to prevent potential exploitation in broader attack scenarios.
Executive Summary

CVE-2026-57433 is a vulnerability in the Perl Storable module, specifically affecting versions before 3.41. The issue involves a signed integer overflow during the deserialization of a crafted SX_HOOK record.

The vulnerability occurs in the `retrieve_hook_common` function, which reads a signed 32-bit item count from an SX_HOOK record. This count is then passed to the `av_extend` function with an increment of one. If the count is set to `I32_MAX` (the maximum value for a signed 32-bit integer), the addition wraps around to a negative value. This negative count is then passed to `av_extend`, causing the function to panic and terminate the deserialization process.

An attacker can exploit this vulnerability by passing a specially crafted blob to the `thaw` or `retrieve` functions, leading to a denial of service (DoS) condition due to the abrupt termination of the deserialization.

Compliance Impact

This vulnerability can have implications for compliance with common standards and regulations, depending on the context in which the affected software is used:

  • GDPR (General Data Protection Regulation): If the vulnerable Storable module is used to deserialize data containing personal or sensitive information, a successful exploitation of this vulnerability could lead to a denial of service, disrupting access to that data. Under GDPR, organizations must ensure the availability and resilience of processing systems. A DoS condition could be seen as a failure to meet these requirements, potentially leading to non-compliance.
  • HIPAA (Health Insurance Portability and Accountability Act): For organizations handling protected health information (PHI), this vulnerability could disrupt access to critical systems or data. HIPAA requires the confidentiality, integrity, and availability of PHI. A DoS attack exploiting this vulnerability could compromise availability, leading to non-compliance if not addressed promptly.
  • Other Standards (e.g., ISO 27001, NIST): Many security frameworks require organizations to maintain the integrity and availability of systems and data. A vulnerability that allows for DoS attacks could be considered a failure to implement adequate security controls, potentially resulting in non-compliance with these standards.

To mitigate compliance risks, organizations should upgrade to Storable version 3.41 or later, as recommended in the resources, and ensure that all systems handling sensitive data are protected against known vulnerabilities.

Detection Guidance

Detecting this vulnerability on your system involves checking for the presence of vulnerable versions of the Perl Storable module and testing for the specific integer overflow condition. Below are some approaches and commands to help identify the issue:

  • Check the installed version of the Storable module. If it is before 3.41, the system is vulnerable. You can use the following Perl command to check the version:

```perl perl -MStorable -e 'print $Storable::VERSION . "\n";' ```

  • If you have access to the source code or can inspect the deserialization process, look for calls to `thaw` or `retrieve` functions with untrusted input. Crafted blobs passed to these functions can trigger the vulnerability.
  • Monitor for crashes or panics in applications using Storable for deserialization. The vulnerability causes `av_extend` to receive a negative count, leading to a panic and termination of the deserialization process. Logs may show errors like "panic: av_extend" or similar.

Note: There are no direct network-based detection methods for this vulnerability, as it is triggered by local deserialization of crafted data. Focus on version checks and input validation.

Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade the Storable module to version 3.41 or later. This version includes the fix for the signed integer overflow issue. You can upgrade using CPAN or your system's package manager:

Using CPAN: ```bash cpan Storable ```

Or, if using a system package manager (e.g., for Debian-based systems): ```bash sudo apt-get update && sudo apt-get install libstorable-perl ```

  • If upgrading is not immediately possible, apply the patch provided in Resource 2. The patch adds a check to prevent the integer overflow by validating the `len3` value in the `retrieve_hook_common` function.
  • Avoid deserializing untrusted or crafted data using the `thaw` or `retrieve` functions. Validate all inputs to these functions to ensure they do not contain maliciously crafted SX_HOOK records.
  • Monitor applications using Storable for crashes or unexpected terminations, as these may indicate exploitation attempts. Implement logging for deserialization errors to detect potential attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57433. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart