Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN639
_____________________________________________________________________

DATE                : 16/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Socket for Perl versions prior
                                       to 2.041.

=====================================================================
https://lists.security.metacpan.org/cve-announce/msg/41020451/
_____________________________________________________________________



========================================================================
CVE-2026-12087                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-12087
   Distribution:  Socket
       Versions:  before 2.041

       MetaCPAN:  https://metacpan.org/dist/Socket

Socket versions before 2.041 for Perl have an out-of-bounds heap read

Description
-----------
Socket versions before 2.041 for Perl have an out-of-bounds heap read.

In Socket.xs, pack_ip_mreq_source() checks the length of its source
argument before the argument is read, so the check tests the byte
length carried over from the preceding multiaddr argument instead. Both
addresses occupy a 4-byte field, so a valid multiaddr lets a source of
any length pass the check, and the source is then copied into the
4-byte imr_sourceaddr field with a fixed-size copy. A source shorter
than 4 bytes is not rejected, and the copy reads up to 3 bytes past the
end of its buffer.

Calling pack_ip_mreq_source() with a source value shorter than 4 bytes
copies adjacent heap memory into the returned packed structure.

Problem types
-------------
- CWE-125 Out-of-bounds Read
- CWE-805 Buffer Access with Incorrect Length Value

Solutions
---------
Upgrade to version 2.041 or later.

References
----------
https://metacpan.org/release/PEVANS/Socket-2.041/changes
https://github.com/Perl/perl5/commit/de19a0b0ad1900fef976c5c1400bd8f11ec6c6cb.patch


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================