PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12087 PEVANS CVE debrief

CVE-2026-12087 details an out-of-bounds heap read issue in Socket versions before 2.041 for Perl. The vulnerability arises from incorrect length checks in the `pack_ip_mreq_source()` function, which can lead to reading up to 3 bytes past the end of a buffer. This issue is caused by the function checking the length of its source argument after it has been read, effectively bypassing the check for sources shorter than 4 bytes.

Vendor
PEVANS
Product
Socket
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-15
Original CVE updated
2026-06-16
Advisory published
2026-06-15
Advisory updated
2026-06-16

Who should care

Developers and administrators using Perl's Socket module versions before 2.041 should be aware of this vulnerability. Successful exploitation could lead to information disclosure or potentially other impacts depending on the specific application and context.

Technical summary

The `pack_ip_mreq_source()` function in Socket.xs incorrectly checks the length of its source argument. It verifies the length after reading the argument, which allows sources of any length to pass the check if preceded by a valid multiaddr. This leads to a fixed-size copy into a 4-byte field, causing an out-of-bounds read for sources shorter than 4 bytes.

Defensive priority

High

Recommended defensive actions

  • Update to Socket version 2.041 or later.
  • Review and patch vulnerable applications using the provided patches [ref-4].
  • Check for updates and advisories from the Perl project and relevant distributions [ref-5].

Evidence notes

Evidence from the NVD and CVE records indicate a high severity issue with significant potential impact. The vulnerability has been publicly disclosed and discussed on security mailing lists [ref-6].

Official resources

CVE-2026-12087 was published on 2026-06-15T22:16:16.197Z and modified on 2026-06-16T00:16:19.060Z.