CVE-2026-57433
NixOS Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-57433 is a signed integer overflow vulnerability in the Perl Storable module (versions before 3.41) that occurs during deserialization of a crafted SX_HOOK record. The retrieve_hook_common function reads a signed 32-bit item count and passes it incremented by one to av_extend; when the count equals I32_MAX, the addition wraps to a negative value, causing av_extend to panic and terminate the deserialization process. The vulnerability was disclosed on July 13, 2026, and is classified as CWE-190 (Integer Overflow or Wraparound). The CVSS base score is estimated as Medium, with an EPSS score of 0.0 (GitHub Advisory, ENISA EUVD).

Détails techniques

The root cause is a signed integer overflow (CWE-190) in Storable.xs within the retrieve_hook_common function. When deserializing an SX_HOOK record, the function reads a signed 32-bit integer (len3) representing the item count and subsequently calls av_extend(av, len3 + 1). If len3 equals I32_MAX (2,147,483,647), the addition len3 + 1 wraps around to a negative value due to signed integer overflow, which is passed to av_extend, causing Perl to die with a panic. The fix, authored by Paul "LeoNerd" Evans and committed on May 9, 2026, adds an explicit check: if len3 == I32_MAX, deserialization is aborted with an "Invalid count of hook data items" error before av_extend is called (Perl5 Commit, GitHub Advisory).

Impact

Successful exploitation causes the Perl application's deserialization process to panic and terminate, resulting in a Denial of Service (DoS). Any application that passes untrusted or attacker-controlled serialized data to Storable's thaw or retrieve functions is at risk. There is no evidence of confidentiality or integrity impact; the vulnerability is limited to availability (GitHub Advisory, ENISA EUVD).

Étapes d’exploitation

  1. Identify target: Locate a Perl application that accepts externally supplied serialized data and passes it to Storable's thaw or retrieve functions, running Storable version < 3.41.
  2. Craft malicious blob: Construct a serialized Storable blob containing an SX_HOOK record where the item count field is set to I32_MAX (0x7FFFFFFF).
  3. Submit crafted blob: Deliver the malicious blob to the target application via any available input channel (e.g., HTTP request body, file upload, network socket) that feeds into the deserialization path.
  4. Trigger overflow: When retrieve_hook_common reads the I32_MAX count and computes len3 + 1, the signed integer overflows to a negative value, which is passed to av_extend.
  5. Achieve DoS: av_extend receives the negative count and Perl dies with a panic, terminating the deserialization and crashing or disrupting the application process (Perl5 Commit, GitHub Advisory).

Indicateurs de compromis

  • Logs: Perl application logs showing panic messages such as panic: av_extend or Invalid count of hook data items originating from Storable deserialization code.
  • Process: Unexpected termination or crash of Perl worker processes, particularly those handling deserialization tasks.
  • Network: Repeated submission of unusually large or malformed serialized blobs to application endpoints that accept Storable-formatted data.

Atténuation et solutions de contournement

Upgrade the Perl Storable module to version 3.41 or later, which includes the fix that explicitly rejects SX_HOOK records with an item count of I32_MAX (Perl5 Commit, GitHub Advisory). As an interim workaround if patching is not immediately possible, restrict the use of Storable's thaw and retrieve functions to trusted, internally generated data sources only, and avoid deserializing any externally supplied or user-controlled blobs (ENISA EUVD).

Réactions de la communauté

The vulnerability was disclosed via the oss-security mailing list on July 13, 2026, and received routine coverage from automated CVE tracking services. No notable researcher commentary or significant community discussion beyond standard vulnerability aggregation has been identified (oss-security).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté NixOS Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-57433CRITICAL9.8
  • NixOS logoNixOS
  • storable
NonOuiJul 13, 2026
CVE-2026-62240HIGH8.3
  • NixOS logoNixOS
  • crewai
NonOuiJul 13, 2026
CVE-2026-12606MEDIUM6.3
  • Glassfish logoGlassfish
  • grizzly
NonOuiJul 14, 2026
CVE-2026-15719MEDIUM5.4
  • NixOS logoNixOS
  • firefox
NonOuiJul 14, 2026
CVE-2026-15718MEDIUM4.3
  • NixOS logoNixOS
  • firefox
NonOuiJul 14, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités