Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <844A4E81-311A-48E1-9D04-B635CD81E7AE@stig.io>
Date: Mon, 13 Jul 2026 17:51:10 +0200
From: Stig Palmquist <stig@...g.io>
To: cve-announce@...urity.metacpan.org,
 oss-security@...ts.openwall.com
Subject: CVE-2026-57433: Storable versions before 3.41 for Perl have a signed
 integer overflow when deserializing a crafted SX_HOOK record

========================================================================
CVE-2026-57433                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-57433
  Distribution:  Storable
      Versions:  before 3.41

      MetaCPAN:  https://metacpan.org/dist/Storable
      VCS Repo:  https://github.com/Perl/perl5


Storable versions before 3.41 for Perl have a signed integer overflow
when deserializing a crafted SX_HOOK record

Description
-----------
Storable versions before 3.41 for Perl have a signed integer overflow
when deserializing a crafted SX_HOOK record.

retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK
record and calls av_extend with that count plus one. A count of I32_MAX
wraps the addition to a negative value.

A crafted blob passed to thaw or retrieve triggers the overflow;
av_extend receives the negative count and dies with a panic,
terminating the deserialization.

Problem types
-------------
- CWE-190 Integer Overflow or Wraparound

Solutions
---------
Upgrade to Storable 3.41 or later.


References
----------
https://github.com/Perl/perl5/commit/e4f681784bcdeaa91ff02a2fa4cdcae5c46779d7.patch


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.