Hi,

The following vulnerability was published for perl.

CVE-2026-12087[0]:
| Socket versions before 2.041 for Perl have an out-of-bounds heap
| read.  In Socket.xs, pack_ip_mreq_source() checks the length of its
| source argument before the argument is read, so the check tests the
| byte length carried over from the preceding multiaddr argument
| instead. Both addresses occupy a 4-byte field, so a valid multiaddr
| lets a source of any length pass the check, and the source is then
| copied into the 4-byte imr_sourceaddr field with a fixed-size copy.
| A source shorter than 4 bytes is not rejected, and the copy reads up
| to 3 bytes past the end of its buffer.  Calling
| pack_ip_mreq_source() with a source value shorter than 4 bytes
| copies adjacent heap memory into the returned packed structure.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-12087
https://www.cve.org/CVERecord?id=CVE-2026-12087
[1] https://lists.security.metacpan.org/cve-announce/msg/41020451/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

________________________________

This email and any attachment are confidential. If you are not the intended recipient, please notify MYOB by reply email and delete this email. Please note that you must not access or use this email or any information in it. MYOB accepts no liability for viruses in this email or in any attachment to it.