CVE-2026-11526: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-11526 is an OS command injection and file overwrite vulnerability in the GD Perl module (Perl-GD) affecting all versions before 2.86. The flaw resides in the GD::Image::_make_filehandle function, which uses Perl's 2-argument open() to open filename arguments, allowing specially crafted filenames containing pipe characters or redirect operators to be interpreted as shell commands or file redirects rather than literal paths. It was reported by Paul Johnson (CPANSec), patched on June 8, 2026, and publicly disclosed on June 14, 2026. The CVSS category is estimated as HIGH, with an EPSS score of approximately 0.0026 (GitHub Advisory, Feedly).

The root cause is Perl's 2-argument open($fh, $thing) call in GD::Image::_make_filehandle, which interprets shell metacharacters in the filename argument (CWE-78: OS Command Injection; CWE-73: External Control of File Name or Path). Specifically, filenames beginning or ending with a pipe character (e.g., "| cmd" or "cmd |"), or beginning with a redirect operator ("> path" or ">> path"), cause Perl to execute the embedded command or perform a file redirect instead of opening the named file. Because _make_filehandle is the sole file-opening code path for all filename-accepting constructors — new, newFromPng, newFromJpeg, and others — any application that passes untrusted user input as a pathname to these constructors is vulnerable. The fix replaces the 2-arg open() with a 3-arg open($fh, '<', $thing), which always treats the argument as a literal filename (GitHub Patch, GitHub Advisory).

Successful exploitation allows an attacker to execute arbitrary OS commands or overwrite (truncate) arbitrary files under the UID of the running process. In web application contexts where GD is used to process user-supplied image filenames, this could lead to full server compromise, data destruction, or unauthorized code execution. The in-memory *Data constructor variants (e.g., newFromPngData) are not affected, as they do not open filesystem paths (GitHub Advisory, Feedly).

1. Identify a vulnerable target: Find a web application or service that uses the Perl GD module (versions < 2.86) and accepts user-controlled filenames passed to GD constructors such as GD::Image->new(), GD::Image->newFromPng(), or similar.
2. Craft a malicious filename payload: Construct a filename string that exploits Perl's 2-arg open() interpretation — for example, a trailing-pipe payload (touch /tmp/pwned |) to execute a command, a leading-pipe payload (| id > /tmp/out) to capture command output, or a redirect payload (> /etc/cron.d/backdoor) to overwrite a file.
3. Submit the payload: Deliver the crafted filename as input to the vulnerable application (e.g., via a file upload field, API parameter, or any input that is forwarded as a pathname to a GD constructor).
4. Achieve command execution or file overwrite: The 2-arg open() in _make_filehandle interprets the shell metacharacters, executing the embedded command or performing the redirect under the process UID, potentially resulting in a reverse shell, data exfiltration, or file destruction (GitHub Patch, GitHub Advisory).

• Logs: Application or web server logs showing unusual filename parameters containing pipe characters (|), redirect operators (>, >>), or shell command strings passed to image-processing endpoints.
• File System: Unexpected new files created in world-writable directories (e.g., /tmp/, /var/tmp/) by the web server or application process UID; truncated or zeroed-out files that should contain data; unexpected cron jobs or scripts in system directories.
• Process: Unusual child processes spawned by the Perl interpreter or web server process (e.g., sh, bash, touch, curl, wget, id) that are not part of normal application behavior.
• Network: Unexpected outbound connections from the web/application server process to external IPs, potentially indicating a reverse shell or data exfiltration following command injection.

Upgrade the Perl GD module to version 2.86 or later, which replaces the vulnerable 2-arg open() with a safe 3-arg open($fh, '<', $thing) in _make_filehandle. As an interim workaround, validate and sanitize all filename arguments before passing them to any GD constructor, rejecting strings that begin or end with pipe characters (|) or begin with redirect operators (>, >>). Where possible, use the in-memory *Data constructor variants (e.g., newFromPngData) when processing untrusted image data, as these do not open filesystem paths and are unaffected by this vulnerability (GitHub Patch, MetaCPAN).

The vulnerability was reported by Paul Johnson under the CPANSec security coordination process and patched promptly before public disclosure. OpenSUSE issued a security announcement to its mailing list, and INCIBE-CERT published an early warning advisory. The CVE received routine coverage from vulnerability aggregators and tracking services, with no notable controversy or widespread community discussion observed (OpenSUSE, INCIBE-CERT).