Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-12844EXPLOITEDPATCHED

perl · list::someutils::xs

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function

Description

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.

Affected Products

Vendor	Product	Versions
perl	list::someutils::xs	0

References

Related News (2 articles)

Tier C

oss-security2d ago

CVE-2026-12844: List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function

→ No new info (linked only)

Tier C

VulDB2d ago

CVE-2026-12844 | DROLSKY List::SomeUtils::XS up to 0.58 on Perl pairwise out-of-bounds write

→ No new info (linked only)

CVSS 3.17.5 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

0.59

CWECWE-787, CWE-122

PublishedJun 25, 2026

Last enriched2d agov3

Tags

CVE-2026-12844

Trending Score46

Source articles2

Independent2

Info Completeness9/14

Missing: cvss, epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-11702EXP

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes

HIGHCVE-2026-11625EXP

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes

HIGHCVE-2026-48962EXP

IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob

NONECVE-2026-12087EXP

Socket versions before 2.041 for Perl have an out-of-bounds heap read

NONECVE-2026-9698EXP

DBI versions before 1.648 for Perl saved errors in a limited-sized buffer

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 25, 2026

Discovered by ZDM

Jun 25, 2026

Updated: tags

Jun 25, 2026

Updated: severity, exploitAvailable, activelyExploited

Jun 25, 2026

Actively Exploited

Jun 25, 2026

Exploit Available

Jun 25, 2026

Patch Available

Jun 25, 2026

Version History

v3

Last enriched 2d ago

v3Tier C2d ago

Updated severity to HIGH and marked the vulnerability as exploit available and actively exploited.

severityexploitAvailableactivelyExploited

via oss-security

v2Tier C2d ago

Updated severity to CRITICAL, marked as actively exploited, and added CVE-2026-12844 as a new tag.

tags

via VulDB

v12d ago

Initial creation