CVE-2026-12087

NameCVE-2026-12087
DescriptionSocket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libsocket-perl (PTS)bullseye2.031-1vulnerable
bookworm2.036-1vulnerable
trixie2.038-1vulnerable
forky, sid2.041-1fixed
perl (PTS)bullseye5.32.1-4+deb11u3vulnerable
bullseye (security)5.32.1-4+deb11u5vulnerable
bookworm5.36.0-7+deb12u3vulnerable
bookworm (security)5.36.0-7+deb12u2vulnerable
trixie5.40.1-6vulnerable
forky, sid5.40.1-8vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libsocket-perlsource(unstable)2.041-1
perlsource(unstable)(unfixed)

Notes

https://lists.security.metacpan.org/cve-announce/msg/41020451/
Fixed by: https://github.com/Perl/perl5/commit/de19a0b0ad1900fef976c5c1400bd8f11ec6c6cb (v5.43.11)
Search for package or bug name: Reporting problems