CVE-2026-12087 Overview
CVE-2026-12087 is an out-of-bounds heap read vulnerability in the Socket Perl module versions before 2.041. The flaw resides in the pack_ip_mreq_source() function in Socket.xs, which validates argument lengths in the wrong order. An attacker who supplies a source address shorter than 4 bytes can cause the function to read up to 3 bytes of adjacent heap memory and return that data inside the packed structure. The defect is classified under [CWE-125] (Out-of-bounds Read) and can leak sensitive process memory across trust boundaries when Perl applications pass attacker-controlled values to multicast socket helpers.
Critical Impact
Adjacent heap memory is copied into returned packed structures, exposing process memory contents to attackers who control the source argument passed to pack_ip_mreq_source().
Affected Products
- Perl Socket module versions prior to 2.041
- Perl distributions bundling Socket-2.040.tar.gz or earlier
- Applications invoking pack_ip_mreq_source() with untrusted input
Discovery Timeline
- 2026-06-15 - CVE-2026-12087 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-12087
Vulnerability Analysis
The Socket Perl XS module exposes pack_ip_mreq_source() to construct ip_mreq_source structures used for IPv4 source-specific multicast group membership operations. The function accepts three address arguments and packs them into fixed-size 4-byte fields inside the resulting structure. The vulnerability stems from a length check applied against the wrong variable, allowing a short source buffer to bypass validation before a fixed-size memory copy reads past its boundary.
Root Cause
In Socket.xs, the length check intended for the source argument runs before source is read. The check inadvertently tests the length value carried over from the preceding multiaddr argument. Because both addresses share an identical 4-byte field width, a valid multiaddr lets a source of any length pass validation. A fixed-size copy then writes the imr_sourceaddr field by reading 4 bytes from the user-supplied buffer regardless of its actual size.
Attack Vector
An attacker who can influence the source argument passed to pack_ip_mreq_source() provides a buffer shorter than 4 bytes. The function copies the supplied bytes plus up to 3 additional bytes of adjacent heap memory into imr_sourceaddr. The returned packed structure carries the leaked heap bytes back to the caller. Applications that transmit, log, or otherwise expose the packed structure can disclose process memory contents to remote actors.
The upstream fix updates the Perl core to ship Socket-2.041, which corrects the argument length validation:
'Socket' => {
- 'DISTRIBUTION' => 'PEVANS/Socket-2.040.tar.gz',
- 'SYNCINFO' => 'jkeenan on Wed Jul 16 09:34:44 2025',
+ 'DISTRIBUTION' => 'PEVANS/Socket-2.041.tar.gz',
+ 'SYNCINFO' => 'leo on Mon May 4 16:10:37 2026',
'FILES' => q[cpan/Socket],
'EXCLUDED' => ['.editorconfig'],
},
Source: GitHub Commit Patch
Detection Methods for CVE-2026-12087
Indicators of Compromise
- Perl applications shipping Socket module versions earlier than 2.041 reported by perl -MSocket -e 'print $Socket::VERSION'
- Anomalous binary payloads emitted from Perl processes containing non-address heap bytes in IGMP or multicast control messages
- Calls to pack_ip_mreq_source() with externally sourced address arguments observed in code review or runtime tracing
Detection Strategies
- Inventory Perl interpreters and CPAN bundles across servers, build agents, and container images to identify vulnerable Socket versions.
- Static-analyze Perl source trees for invocations of pack_ip_mreq_source() where any argument originates from network input or user-controlled data.
- Instrument runtime with memory sanitizers such as AddressSanitizer when testing Perl applications that exercise multicast helpers.
Monitoring Recommendations
- Alert on egress traffic from Perl-based services containing multicast control structures with high-entropy imr_sourceaddr bytes.
- Track package management events that pin or roll back the Socket module below version 2.041.
- Monitor process telemetry for repeated short-buffer arguments passed to Perl XS extensions handling network address packing.
How to Mitigate CVE-2026-12087
Immediate Actions Required
- Upgrade the Perl Socket module to version 2.041 or later from CPAN.
- Rebuild or repackage container images, virtual machine templates, and OS packages that bundle the Perl core with the vulnerable Socket version.
- Audit Perl code paths that call pack_ip_mreq_source() and validate that source arguments are exactly 4 bytes before invocation.
Patch Information
The fix ships in Socket-2.041, released by maintainer PEVANS. Perl core was updated to bundle this version via the commit referenced in GitHub Commit Patch. Release notes are available in MetaCPAN Release Changes and coordinated disclosure details appear in the OpenWall OSS-Security Update.
Workarounds
- Enforce a length check in application code so that any source argument passed to pack_ip_mreq_source() is exactly 4 bytes, rejecting shorter inputs before the call.
- Wrap multicast helpers in a sanitizing module that uses pack('a4', $source) with explicit length verification before delegating to Socket.
- Restrict execution of multicast-handling Perl scripts to trusted local users until the upgrade to Socket-2.041 is completed.
# Configuration example - upgrade Socket via CPAN
cpan install PEVANS/Socket-2.041.tar.gz
perl -MSocket -e 'die "Vulnerable" if $Socket::VERSION < 2.041; print "OK $Socket::VERSION\n"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
