CVE-2026-57433: Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record Stig Palmquist 13 Jul 2026 15:51 UTC

========================================================================
CVE-2026-57433                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-57433
  Distribution:  Storable
      Versions:  before 3.41

      MetaCPAN:  https://metacpan.org/dist/Storable
      VCS Repo:  https://github.com/Perl/perl5

Storable versions before 3.41 for Perl have a signed integer overflow
when deserializing a crafted SX_HOOK record

Description
-----------
Storable versions before 3.41 for Perl have a signed integer overflow
when deserializing a crafted SX_HOOK record.

retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK
record and calls av_extend with that count plus one. A count of I32_MAX
wraps the addition to a negative value.

A crafted blob passed to thaw or retrieve triggers the overflow;
av_extend receives the negative count and dies with a panic,
terminating the deserialization.

Problem types
-------------
- CWE-190 Integer Overflow or Wraparound

Solutions
---------
Upgrade to Storable 3.41 or later.

References
----------
https://github.com/Perl/perl5/commit/e4f681784bcdeaa91ff02a2fa4cdcae5c46779d7.patch