CVE-2026-57433

HAARG · Storable

The Storable module for Perl contains a signed integer overflow when deserializing SX_HOOK records, potentially leading to denial of service or arbitrary code execution.

Executive summary

A critical signed integer overflow in the Storable module for Perl can be triggered by crafted input, leading to service disruption or potential remote code execution.

Vulnerability

This is a signed integer overflow vulnerability occurring during the deserialization of SX_HOOK records in the retrieve_hook_common function. An attacker can supply a crafted blob to trigger the overflow, which is exploitable without authentication.

Business impact

This vulnerability carries a CVSS score of 9.8, signifying critical severity. Successful exploitation can result in a denial of service through application panics or, more severely, potential arbitrary code execution via heap memory corruption. This poses a major risk to system availability and security.

Remediation

Immediate Action: Upgrade the Storable module to version 3.41 or later.

Proactive Monitoring: Review application error logs for unexpected panics or crashes related to the Storable module during data deserialization.

Compensating Controls: Avoid deserializing untrusted or externally sourced data using the Storable module unless the data is strictly validated and the module is patched.

Exploitation status

Public Exploit Available: No confirmed public exploit (weaponized or curated PoC) is available in the provided data.

Analyst recommendation

Due to the critical severity and potential for arbitrary code execution, upgrading the Storable module to version 3.41 is mandatory. Organizations must ensure that any software relying on this Perl module is updated promptly to prevent exploitation of this deserialization vulnerability.