Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2781 articles · 175026 vulns · 36/41 feeds (7d)
← Back to list
7.5
CVE-2026-57432EXPLOITEDPATCHED
perl · perl

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack

Description

Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of bounds. A template derived from untrusted input can read heap memory past the buffer and return it to the caller.

Affected Products

VendorProductVersions
perlperl0

References

  • https://github.com/Perl/perl5/commit/5f7eb6bbbe0510964e3fb1d6bb691e5445913e55.patch(patch)
  • https://github.com/Perl/perl5/commit/40754edc72dd3e513d758153c0e2f0215897740e.patch(patch)

Related News (2 articles)

Tier C
oss-security8h ago
CVE-2026-57432: Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack
→ No new info (linked only)
Tier C
VulDB9h ago
CVE-2026-57432 | Perl up to 5.43.10 S_measure_struct repeat integer overflow
→ No new info (linked only)
CVSS 3.17.5 NONE
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
https://github.com/Perl/perl5/commit/5f7eb6bbbe0510964e3fb1d6bb691e5445913e55.patchhttps://github.com/Perl/perl5/commit/40754edc72dd3e513d758153c0e2f0215897740e.patch
CWECWE-190, CWE-125
PublishedJul 13, 2026
Last enriched9h agov2
Trending Score49
Source articles2
Independent2
Info Completeness9/14
Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-14739EXP
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders
Trending: 50
NONECVE-2026-13221EXP
Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk
Trending: 49
NONECVE-2026-14380EXP
DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile
Trending: 39
NONECVE-2026-14740
DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment
Trending: 35
NONECVE-2026-8450EXP
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()
Trending: 27

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 13, 2026
Discovered by ZDM
Jul 13, 2026
Updated: severity, cvssEstimate, activelyExploited
Jul 13, 2026
Actively Exploited
Jul 13, 2026
Patch Available
Jul 13, 2026

Version History

v2
Last enriched 9h ago
v2Tier C9h ago

Updated severity to HIGH, added CVSS estimate of 7.5, and marked the vulnerability as actively exploited.

severitycvssEstimateactivelyExploited
via VulDB
v110h ago

Initial creation