HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-12087Published Modified CNA CPANSec

CVE-2026-12087: Socket versions before 2.041 for Perl have an out-of-bounds heap read

Socket versions before 2.041 for Perl have an out-of-bounds heap read. In Socket.xs, pack_ip_mreq_source() checks the length of its source argument before the argument is read, so the check tests the byte length carried over from the preceding multiaddr argument instead. Both addresses occupy a 4-byte field, so a valid multiaddr lets a source of any length pass the check, and the source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. Calling pack_ip_mreq_source() with a source value shorter than 4 bytes copies adjacent heap memory into the returned packed structure.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
2.041
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An out-of-bounds heap read vulnerability exists in the Perl Socket module before version 2.041. The flaw is reachable over the network without any authentication, and occurs in the pack_ip_mreq_source() function where a length check is applied to the wrong argument, allowing adjacent heap memory to be read and returned to the caller. Successful exploitation leaks heap contents to the attacker and can cause a service crash. A patched-image rebuild at version 2.041 is available on HarborGuard for environments running an affected version of the Socket module.

HarborGuard Coverage

Detection

Detection of CVE-2026-12087 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds including CPANSec, covering both base images and custom-built images that bundle the Perl Socket module. Any image whose manifest resolves to a Socket version below 2.041 is flagged automatically in the pipeline scan.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL using the recorded CVSS v3.1 vector, and per-environment compliance policy weighting is applied to prioritize routing within each customer organization. Triage results are delivered to the inbox configured for the relevant team, with severity context and the specific package version that triggered the match.

Available
Patch

A patched-image rebuild at Socket 2.041 is available on HarborGuard for any environment where the affected version is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable function is exposed over the network, meaning an attacker must be able to reach the service across the internet or an internal network to supply a crafted argument.

  • AuthenticationNot required

    No credentials or account are needed; an unauthenticated caller can invoke the vulnerable code path directly.

  • Victim interactionNot required

    No user action or social engineering is required to trigger the out-of-bounds read.

  • Attack complexityDetail

    The exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout to produce a heap read.

Blast Radius

  • The attacker receives raw heap memory contents from the process, which may include cryptographic material, session tokens, or other in-memory data adjacent to the buffer.
  • Confidential data processed by the Perl application, such as connection credentials or internal state, can be exposed through the returned packed structure.
  • Reading past the end of a heap buffer can corrupt allocator metadata or adjacent allocations, crashing the affected service and causing a denial of service.

How HarborGuard Handles This

Available on HarborGuard: images containing Perl Socket below version 2.041 are matched against this CVE within minutes of advisory publication. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at Socket 2.041, runs a regression test against the rebuilt image, and opens a pull request against affected workloads; for CRITICAL-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy does not permit automatic remediation, the CVE appears in the triage queue with full CVSS context and package-level match details so engineers can act manually. Customers are encouraged to prioritize this issue given the no-authentication, network-reachable attack surface and the confirmed heap-disclosure impact.

See how HarborGuard automates this

Fix available

2.041
Patch commits
Affected packages
  • PEVANS / Socket
    < 2.041 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
References