Heap Buffer Overflow in List::SomeUtils::XS for Perl
CVE-2026-12844

Currently unrated

Key Information:

Vendor

Drolsky

Status
List::someutils::xs
Vendor
CVE Published:
25 June 2026

What is CVE-2026-12844?

The List::SomeUtils::XS module for Perl has a critical heap buffer overflow vulnerability in its pairwise function. This flaw occurs due to insufficient buffer allocation when processing input arrays. The pairwise function attempts to store data returned from a block into a heap buffer that is sized only to the longer input array. If the block outputs a value that exceeds this size (specifically, more than four times the current allocation), it leads to writing past the allocated buffer's end, which can corrupt the heap. Such corruption poses a significant risk, as it can potentially be exploited by an attacker to execute arbitrary code or affect application stability. Users are urged to upgrade to version 0.59 or later to mitigate this risk.

Affected Version(s)

List::SomeUtils::XS 0 < 0.59

References

https://github.com/houseabsolute/List-SomeUtils-XS/commit...
patch
https://metacpan.org/release/DROLSKY/List-SomeUtils-XS-0....
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.