CVE-2026-11527: 
Linux Debian Analyse et atténuation des vulnérabilités

CVE-2026-11527 is an OS command injection and file overwrite vulnerability in the Perl module Config::IniFiles affecting all versions before 3.001000. The flaw exists in the _make_filehandle function, which uses Perl's 2-argument open() to open filenames supplied via the -file argument, allowing shell-magic interpretation of pipe and redirect characters. It was published on June 14, 2026, and assigned by CPANSec. The CVSS category is estimated as HIGH, with an EPSS score of approximately 0.0026 (Github Advisory, Feedly).

The root cause is the use of Perl's 2-argument open() form in Config::IniFiles::_make_filehandle, classified under CWE-78 (OS Command Injection) and CWE-73 (External Control of File Name or Path). In 2-arg open(), Perl interprets filenames beginning or ending with a pipe character (| cmd or cmd |) as shell commands to execute, and filenames beginning with > or >> as file redirect/truncation operations. The vulnerable code path is reached when a caller invokes Config::IniFiles->new(-file => $untrusted_input), which routes through ReadConfig to _make_filehandle. The fix, committed on June 8, 2026, replaces the 2-arg open($fh, $thing) with the 3-arg form open($fh, '<', $thing), which treats the filename literally without shell interpretation (GitHub Patch, Github Advisory).

Any application that passes untrusted user input to the -file argument of Config::IniFiles->new() is vulnerable to arbitrary OS command execution or file truncation/overwrite under the privileges of the running process. This can result in full system compromise if the Perl process runs with elevated privileges, unauthorized data destruction via file truncation, and potential for lateral movement or persistence through command execution. In-memory scalar reference inputs (-file => \$text) are not affected by this vulnerability (Github Advisory, Feedly).

1. Identify a vulnerable target: Find a Perl application using Config::IniFiles versions before 3.001000 that accepts user-controlled input and passes it (directly or indirectly) to Config::IniFiles->new(-file => $user_input).
2. Craft a malicious filename payload: Prepare a filename string that exploits Perl's 2-arg open() shell-magic behavior, such as:
   • Trailing pipe for command execution: touch /tmp/pwned |
   • Leading pipe for command execution: | id > /tmp/output
   • Redirect operator for file truncation: > /etc/important_file
3. Inject the payload: Supply the crafted string as the value that will be forwarded to the -file argument, e.g., via a web form, API parameter, or configuration input that the application uses to load an INI file.
4. Trigger execution: Cause the application to instantiate a Config::IniFiles object with the malicious input, which calls ReadConfig → _make_filehandle → open($fh, 'touch /tmp/pwned |'), executing the embedded command as the process UID.
5. Achieve objective: Depending on the payload, the attacker can execute arbitrary OS commands, exfiltrate data, establish persistence, or destroy files (GitHub Patch, Github Advisory).

• Logs: Application logs showing unexpected filenames containing pipe characters (|) or redirect operators (>, >>) passed as configuration file paths; Perl error messages or warnings related to open() failures with unusual filename strings.
• File System: Unexpected new files created in world-writable directories (e.g., /tmp/) by the Perl application process; truncated or zeroed-out configuration or data files; new scripts or executables dropped by the application process user.
• Process: Unusual child processes spawned by the Perl application (e.g., sh, bash, touch, curl, wget, nc) with the application's UID; unexpected outbound network connections from the Perl process.
• Network: Outbound connections to unknown external hosts initiated by the Perl application process, potentially indicating reverse shell or data exfiltration activity.

The primary remediation is to upgrade Config::IniFiles to version 3.001000 or later, which replaces the vulnerable 2-arg open() with the safe 3-arg form (Github Advisory, MetaCPAN). If immediate patching is not possible, implement strict input validation to reject any -file argument values containing pipe characters (|) or redirect operators (>, >>). As an alternative workaround, use in-memory scalar references (-file => \$text) instead of file paths where feasible, as this code path is not affected by the vulnerability.

The vulnerability was noted in automated CVE tracking feeds and vulnerability databases shortly after publication on June 14, 2026, including ENISA EUVD, VulDB, and INCIBE-CERT (Feedly). No significant vendor statements, notable researcher commentary, or major media coverage have been identified beyond standard vulnerability database entries.