CVE-2026-12087
Description
Perl's Socket module before 2.041 has an out-of-bounds heap read in pack_ip_mreq_source() due to incorrect length check, leaking adjacent heap memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Perl's Socket module before 2.041 has an out-of-bounds heap read in pack_ip_mreq_source() due to incorrect length check, leaking adjacent heap memory.
Vulnerability
In Perl's Socket module, the function pack_ip_mreq_source() in Socket.xs contains an out-of-bounds heap read vulnerability. The length check for the source argument is performed using a STRLEN len variable that was previously set for the multiaddr argument, so the check tests the byte length of multiaddr instead of source. Both addresses are 4-byte fields, so a valid multiaddr allows a source of any length to pass the check. The source is then copied into the 4-byte imr_sourceaddr field with a fixed-size copy. A source shorter than 4 bytes is not rejected, and the copy reads up to 3 bytes past the end of its buffer. This affects all versions of the Socket module before 2.041 [1][2].
Exploitation
An attacker can trigger this vulnerability by calling pack_ip_mreq_source() with a source value shorter than 4 bytes. No special privileges are required; any Perl code that invokes this function with attacker-controlled arguments can exploit the bug. The function is commonly used in network programming, so if an application passes untrusted input to pack_ip_mreq_source(), an attacker can cause an out-of-bounds heap read.
Impact
Successful exploitation results in copying adjacent heap memory into the returned packed structure. This leads to information disclosure of heap contents, potentially exposing sensitive data such as credentials, encryption keys, or other application secrets. The disclosure is limited to the heap memory immediately following the source buffer, but the exact amount depends on the heap layout.
Mitigation
The vulnerability is fixed in Socket version 2.041, released on 2026-03-26 [2]. Users should upgrade to this version or apply the patch from commit de19a0b0ad1900fef976c5c1400bd8f11ec6c6cb [1]. No workaround is available for earlier versions; upgrading is the recommended action.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <2.041
Patches
1de19a0b0ad19cpan/Socket - Update to version 2.041
3 files changed · +135 −55
cpan/Socket/Socket.pm+77 −26 modified@@ -3,14 +3,16 @@ package Socket; use v5.6.1; use strict; -our $VERSION = '2.040'; +our $VERSION = '2.041'; =head1 NAME C<Socket> - networking constants and support functions =head1 SYNOPSIS +=for highlighter language=perl + C<Socket> a low-level module used by, among other things, the L<IO::Socket> family of modules. The following examples demonstrate some low-level uses but a practical program would likely use the higher-level API provided by @@ -167,7 +169,9 @@ strings representing structures. =cut -=head2 $family = sockaddr_family $sockaddr +=head2 sockaddr_family + + $family = sockaddr_family $sockaddr; Takes a packed socket address (as returned by pack_sockaddr_in(), pack_sockaddr_un() or the perl builtin functions getsockname() and @@ -176,7 +180,9 @@ C<AF_*> constants, such as C<AF_INET> for a C<sockaddr_in> addresses or C<AF_UNIX> for a C<sockaddr_un>. It can be used to figure out what unpack to use for a sockaddr of unknown type. -=head2 $sockaddr = pack_sockaddr_in $port, $ip_address +=head2 pack_sockaddr_in + + $sockaddr = pack_sockaddr_in $port, $ip_address; Takes two arguments, a port number and an opaque string (as returned by inet_aton(), or a v-string). Returns the C<sockaddr_in> structure with those @@ -187,7 +193,9 @@ connect(), and send(). An undefined $port argument is taken as zero; an undefined $ip_address is considered a fatal error. -=head2 ($port, $ip_address) = unpack_sockaddr_in $sockaddr +=head2 unpack_sockaddr_in + + ($port, $ip_address) = unpack_sockaddr_in $sockaddr; Takes a C<sockaddr_in> structure (as returned by pack_sockaddr_in(), getpeername() or recv()). Returns a list of two elements: the port and an @@ -197,9 +205,11 @@ does not represent an C<AF_INET> address. In scalar context will return just the IP address. -=head2 $sockaddr = sockaddr_in $port, $ip_address +=head2 sockaddr_in + + $sockaddr = sockaddr_in $port, $ip_address; -=head2 ($port, $ip_address) = sockaddr_in $sockaddr + ($port, $ip_address) = sockaddr_in $sockaddr; A wrapper of pack_sockaddr_in() or unpack_sockaddr_in(). In list context, unpacks its argument and returns a list consisting of the port and IP address. @@ -209,7 +219,10 @@ and returns it. Provided largely for legacy compatibility; it is better to use pack_sockaddr_in() or unpack_sockaddr_in() explicitly. -=head2 $sockaddr = pack_sockaddr_in6 $port, $ip6_address, [$scope_id, [$flowinfo]] +=head2 pack_sockaddr_in6 + + $sockaddr = pack_sockaddr_in6 $port, $ip6_address, + $scope_id = 0, $flowinfo = 0; Takes two to four arguments, a port number, an opaque string (as returned by inet_pton()), optionally a scope ID number, and optionally a flow label @@ -219,7 +232,9 @@ and C<AF_INET6> filled in. IPv6 equivalent of pack_sockaddr_in(). An undefined $port argument is taken as zero; an undefined $ip6_address is considered a fatal error. -=head2 ($port, $ip6_address, $scope_id, $flowinfo) = unpack_sockaddr_in6 $sockaddr +=head2 unpack_sockaddr_in6 + + ($port, $ip6_address, $scope_id, $flowinfo) = unpack_sockaddr_in6 $sockaddr; Takes a C<sockaddr_in6> structure. Returns a list of four elements: the port number, an opaque string representing the IPv6 address, the scope ID, and the @@ -229,9 +244,12 @@ address. In scalar context will return just the IP address. -=head2 $sockaddr = sockaddr_in6 $port, $ip6_address, [$scope_id, [$flowinfo]] +=head2 sockaddr_in6 + + $sockaddr = sockaddr_in6 $port, $ip6_address, + $scope_id = 0, $flowinfo = 0; -=head2 ($port, $ip6_address, $scope_id, $flowinfo) = sockaddr_in6 $sockaddr + ($port, $ip6_address, $scope_id, $flowinfo) = sockaddr_in6 $sockaddr; A wrapper of pack_sockaddr_in6() or unpack_sockaddr_in6(). In list context, unpacks its argument according to unpack_sockaddr_in6(). In scalar context, @@ -240,22 +258,28 @@ packs its arguments according to pack_sockaddr_in6(). Provided largely for legacy compatibility; it is better to use pack_sockaddr_in6() or unpack_sockaddr_in6() explicitly. -=head2 $sockaddr = pack_sockaddr_un $path +=head2 pack_sockaddr_un + + $sockaddr = pack_sockaddr_un $path; Takes one argument, a pathname. Returns the C<sockaddr_un> structure with that path packed in with C<AF_UNIX> filled in. For C<PF_UNIX> sockets, this structure is normally what you need for the arguments in bind(), connect(), and send(). -=head2 ($path) = unpack_sockaddr_un $sockaddr +=head2 unpack_sockaddr_un + + ($path) = unpack_sockaddr_un $sockaddr; Takes a C<sockaddr_un> structure (as returned by pack_sockaddr_un(), getpeername() or recv()). Returns a list of one element: the pathname. Will croak if the structure does not represent an C<AF_UNIX> address. -=head2 $sockaddr = sockaddr_un $path +=head2 sockaddr_un + + $sockaddr = sockaddr_un $path; -=head2 ($path) = sockaddr_un $sockaddr + ($path) = sockaddr_un $sockaddr; A wrapper of pack_sockaddr_un() or unpack_sockaddr_un(). In a list context, unpacks its argument and returns a list consisting of the pathname. In a @@ -266,37 +290,49 @@ pack_sockaddr_un() or unpack_sockaddr_un() explicitly. These are only supported if your system has E<lt>F<sys/un.h>E<gt>. -=head2 $ip_mreq = pack_ip_mreq $multiaddr, $interface +=head2 pack_ip_mreq + + $ip_mreq = pack_ip_mreq $multiaddr, $interface; Takes an IPv4 multicast address and optionally an interface address (or C<INADDR_ANY>). Returns the C<ip_mreq> structure with those arguments packed in. Suitable for use with the C<IP_ADD_MEMBERSHIP> and C<IP_DROP_MEMBERSHIP> sockopts. -=head2 ($multiaddr, $interface) = unpack_ip_mreq $ip_mreq +=head2 unpack_ip_mreq + + ($multiaddr, $interface) = unpack_ip_mreq $ip_mreq; Takes an C<ip_mreq> structure. Returns a list of two elements; the IPv4 multicast address and interface address. -=head2 $ip_mreq_source = pack_ip_mreq_source $multiaddr, $source, $interface +=head2 pack_ip_mreq_source + + $ip_mreq_source = pack_ip_mreq_source $multiaddr, $source, $interface; Takes an IPv4 multicast address, source address, and optionally an interface address (or C<INADDR_ANY>). Returns the C<ip_mreq_source> structure with those arguments packed in. Suitable for use with the C<IP_ADD_SOURCE_MEMBERSHIP> and C<IP_DROP_SOURCE_MEMBERSHIP> sockopts. -=head2 ($multiaddr, $source, $interface) = unpack_ip_mreq_source $ip_mreq +=head2 unpack_ip_mreq_source + + ($multiaddr, $source, $interface) = unpack_ip_mreq_source $ip_mreq; Takes an C<ip_mreq_source> structure. Returns a list of three elements; the IPv4 multicast address, source address and interface address. -=head2 $ipv6_mreq = pack_ipv6_mreq $multiaddr6, $ifindex +=head2 pack_ipv6_mreq + + $ipv6_mreq = pack_ipv6_mreq $multiaddr6, $ifindex; Takes an IPv6 multicast address and an interface number. Returns the C<ipv6_mreq> structure with those arguments packed in. Suitable for use with the C<IPV6_ADD_MEMBERSHIP> and C<IPV6_DROP_MEMBERSHIP> sockopts. -=head2 ($multiaddr6, $ifindex) = unpack_ipv6_mreq $ipv6_mreq +=head2 unpack_ipv6_mreq + + ($multiaddr6, $ifindex) = unpack_ipv6_mreq $ipv6_mreq; Takes an C<ipv6_mreq> structure. Returns a list of two elements; the IPv6 address and an interface number. @@ -307,7 +343,9 @@ address and an interface number. =cut -=head2 $ip_address = inet_aton $string +=head2 inet_aton + + $ip_address = inet_aton $string; Takes a string giving the name of a host, or a textual representation of an IP address and translates that to an packed binary address structure suitable to @@ -321,7 +359,9 @@ in other words, that it would contain only the IPv4 address in network order. This IPv4-only function is provided largely for legacy reasons. Newly-written code should use getaddrinfo() or inet_pton() instead for IPv6 support. -=head2 $string = inet_ntoa $ip_address +=head2 inet_ntoa + + $string = inet_ntoa $ip_address; Takes a packed binary address structure such as returned by unpack_sockaddr_in() (or a v-string representing the four octets of the IPv4 @@ -332,7 +372,9 @@ human-readable four dotted number notation for Internet addresses). This IPv4-only function is provided largely for legacy reasons. Newly-written code should use getnameinfo() or inet_ntop() instead for IPv6 support. -=head2 $address = inet_pton $family, $string +=head2 inet_pton + + $address = inet_pton $family, $string; Takes an address family (such as C<AF_INET> or C<AF_INET6>) and a string containing a textual representation of an address in that family and @@ -341,7 +383,9 @@ translates that to an packed binary address structure. See also getaddrinfo() for a more powerful and flexible function to look up socket addresses given hostnames or textual addresses. -=head2 $string = inet_ntop $family, $address +=head2 inet_ntop + + $string = inet_ntop $family, $address; Takes an address family and a packed binary address structure and translates it into a human-readable textual representation of the address; typically in @@ -350,7 +394,11 @@ C<d.d.d.d> form for C<AF_INET> or C<hhhh:hhhh::hhhh> form for C<AF_INET6>. See also getnameinfo() for a more powerful and flexible function to turn socket addresses into human-readable textual representations. -=head2 ($err, @result) = getaddrinfo $host, $service, [$hints] +=head2 getaddrinfo + + ($err, @result) = getaddrinfo $host, $service; + + ($err, @result) = getaddrinfo $host, $service, \%hints; Given both a hostname and service name, this function attempts to resolve the host name into a list of network addresses, and the service name into a @@ -452,7 +500,10 @@ an error if a hostname is passed. =back -=head2 ($err, $hostname, $servicename) = getnameinfo $sockaddr, [$flags, [$xflags]] +=head2 getnameinfo + + ($err, $hostname, $servicename) = getnameinfo $sockaddr, + $flags = 0, $xflags = 0; Given a packed socket address (such as from getsockname(), getpeername(), or returned by getaddrinfo() in a C<addr> field), returns the hostname and
cpan/Socket/Socket.xs+56 −27 modified@@ -1280,26 +1280,35 @@ pack_ip_mreq(multiaddr, interface=&PL_sv_undef) struct ip_mreq mreq; char * multiaddrbytes; char * interfacebytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.imr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.imr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char); if(SvOK(interface)) { if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1)) croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; interfacebytes = SvPVbyte(interface, len); if (len != sizeof(mreq.imr_interface)) croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_interface)); + Copy(interfacebytes, &mreq.imr_interface, sizeof(mreq.imr_interface), char); } else mreq.imr_interface.s_addr = INADDR_ANY; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else not_here("pack_ip_mreq"); @@ -1339,25 +1348,38 @@ pack_ip_mreq_source(multiaddr, source, interface=&PL_sv_undef) char * multiaddrbytes; char * sourcebytes; char * interfacebytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq_source"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.imr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); - if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1)) - croak("Wide character in %s", "Socket::pack_ip_mreq_source"); - if (len != sizeof(mreq.imr_sourceaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr)); - sourcebytes = SvPVbyte(source, len); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq_source"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.imr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_multiaddr)); + } + + { + if (DO_UTF8(source) && !sv_utf8_downgrade(source, 1)) + croak("Wide character in %s", "Socket::pack_ip_mreq_source"); + + STRLEN len; + sourcebytes = SvPVbyte(source, len); + if (len != sizeof(mreq.imr_sourceaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ip_mreq", (UV)len, (UV)sizeof(mreq.imr_sourceaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.imr_multiaddr, sizeof(mreq.imr_multiaddr), char); Copy(sourcebytes, &mreq.imr_sourceaddr, sizeof(mreq.imr_sourceaddr), char); + if(SvOK(interface)) { if (DO_UTF8(interface) && !sv_utf8_downgrade(interface, 1)) croak("Wide character in %s", "Socket::pack_ip_mreq"); + + STRLEN len; interfacebytes = SvPVbyte(interface, len); if (len != sizeof(mreq.imr_interface)) croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, @@ -1366,6 +1388,7 @@ pack_ip_mreq_source(multiaddr, source, interface=&PL_sv_undef) } else mreq.imr_interface.s_addr = INADDR_ANY; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else PERL_UNUSED_VAR(multiaddr); @@ -1406,16 +1429,22 @@ pack_ipv6_mreq(multiaddr, ifindex) #ifdef HAS_IPV6_MREQ struct ipv6_mreq mreq; char * multiaddrbytes; - STRLEN len; - if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) - croak("Wide character in %s", "Socket::pack_ipv6_mreq"); - multiaddrbytes = SvPVbyte(multiaddr, len); - if (len != sizeof(mreq.ipv6mr_multiaddr)) - croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, - "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr)); + + { + if (DO_UTF8(multiaddr) && !sv_utf8_downgrade(multiaddr, 1)) + croak("Wide character in %s", "Socket::pack_ipv6_mreq"); + + STRLEN len; + multiaddrbytes = SvPVbyte(multiaddr, len); + if (len != sizeof(mreq.ipv6mr_multiaddr)) + croak("Bad arg length %s, length is %" UVuf ", should be %" UVuf, + "Socket::pack_ipv6_mreq", (UV)len, (UV)sizeof(mreq.ipv6mr_multiaddr)); + } + Zero(&mreq, sizeof(mreq), char); Copy(multiaddrbytes, &mreq.ipv6mr_multiaddr, sizeof(mreq.ipv6mr_multiaddr), char); mreq.ipv6mr_interface = ifindex; + ST(0) = sv_2mortal(newSVpvn((char *)&mreq, sizeof(mreq))); #else PERL_UNUSED_VAR(multiaddr);
Porting/Maintainers.pl+2 −2 modified@@ -1040,8 +1040,8 @@ package Maintainers; }, 'Socket' => { - 'DISTRIBUTION' => 'PEVANS/Socket-2.040.tar.gz', - 'SYNCINFO' => 'jkeenan on Wed Jul 16 09:34:44 2025', + 'DISTRIBUTION' => 'PEVANS/Socket-2.041.tar.gz', + 'SYNCINFO' => 'leo on Mon May 4 16:10:37 2026', 'FILES' => q[cpan/Socket], 'EXCLUDED' => ['.editorconfig'], },
Vulnerability mechanics
Root cause
"Reuse of a single STRLEN variable for both the multiaddr and source length checks in pack_ip_mreq_source() causes the source length validation to test the wrong value, allowing an undersized source buffer to be copied with a fixed-size read that overruns the buffer."
Attack vector
An attacker who can supply arguments to `Socket::pack_ip_mreq_source()` can trigger an out-of-bounds heap read. By passing a valid 4-byte `multiaddr` and a `source` string shorter than 4 bytes, the length check is bypassed (it reuses the `multiaddr` length), and the subsequent `Copy()` reads up to 3 bytes past the end of the `source` buffer into adjacent heap memory. The copied data is then returned in the packed structure, potentially leaking heap contents. No authentication or network access is required — the attacker only needs to control the Perl function arguments.
Affected code
The bug is in `pack_ip_mreq_source()` in `cpan/Socket/Socket.xs` (lines 1339–1366 of the pre-patch version). A single `STRLEN len` variable was reused for both the `multiaddr` and `source` arguments. After the `multiaddr` length check, `len` still held the `multiaddr` byte count; the subsequent `source` length check compared `len` (the `multiaddr` length) against `sizeof(mreq.imr_sourceaddr)` instead of the actual source length. Because both fields are 4 bytes, a valid 4-byte `multiaddr` would let any-length `source` pass the check. The same pattern also affected `pack_ip_mreq()` and `pack_ipv6_mreq()`, though those functions did not have the cross-argument reuse bug.
What the fix does
The patch introduces separate scoped blocks (`{ ... }`) for each argument in `pack_ip_mreq_source()`, `pack_ip_mreq()`, and `pack_ipv6_mreq()`, so that each argument gets its own local `STRLEN len` variable. This prevents the `len` value from one argument's `SvPVbyte()` call from being reused for the next argument's length check. The `source` length is now correctly measured and validated against `sizeof(mreq.imr_sourceaddr)` before the `Copy()` operation, rejecting any source that is not exactly 4 bytes.
Preconditions
- inputAttacker must be able to call Socket::pack_ip_mreq_source() with attacker-controlled arguments
- inputThe multiaddr argument must be exactly 4 bytes (valid IPv4 address)
- inputThe source argument must be shorter than 4 bytes
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.