CVE-2026-57432 affects Perl versions through 5.43.10, allowing a malicious
The CPAN Security Group disclosed the issue on July 13, 2026, and identifies Perl 5.43.11 as the first development release containing the fix. Microsoft subsequently listed the CVE in the MSRC Security Update Guide, but remediation depends on the distributor that supplied the Perl interpreter.
The upstream description focuses on an out-of-bounds heap read and possible exposure of process memory. Although the supplied MSRC material describes severe availability consequences, the public CPAN advisory does not establish persistent denial of service or complete resource unavailability as the vulnerability’s primary impact.
The defect sits in
When calculating a structure’s required size, the vulnerable code adds each item’s size multiplied by its repeat count to a signed
Positioning directives such as
The result is an out-of-bounds heap read. According to the CPAN Security Group advisory, a template derived from untrusted input can cause Perl to read memory after the legitimate buffer and return those bytes to the caller.
That distinction matters when assessing risk. An out-of-bounds read can expose fragments of heap memory belonging to the affected process, potentially including data from earlier operations, parsed requests, credentials, tokens, or other application state. Exactly what can be recovered will depend on the application, allocator behavior, process architecture, template, and surrounding heap layout.
The published weakness classifications are CWE-190, Integer Overflow or Wraparound, and CWE-125, Out-of-bounds Read. No public reporting reviewed for this disclosure demonstrates arbitrary code execution, and administrators should not automatically treat a heap read as a heap write.
Git for Windows is the most prominent example. Its documentation says the full distribution includes Perl alongside Bash and other POSIX utilities required by Git workflows. Perl supports features including
Other places to check include Strawberry Perl, ActiveState distributions, MSYS2, Cygwin, application-specific runtime folders, build appliances, and Windows Subsystem for Linux distributions. WSL installations must be updated through their Linux package manager; installing a native Windows Perl update does not patch a separate interpreter inside Ubuntu, Debian, or another WSL image.
Administrators can locate interpreters visible through the current
Those commands are only a starting point. Bundled interpreters may not be registered globally, so software inventories and filesystem searches should also cover locations such as
Version discovery also needs context. The affected range is described as versions through 5.43.10, which encompasses supported stable branches older than the patched development build—not merely the numbered 5.43 development series shown in some abbreviated vulnerability databases.
Strawberry Perl’s latest publicly listed Windows packages at the time of disclosure are based on Perl 5.42.2 and 5.40.4. Those versions fall inside the upstream affected range unless the relevant security commits have been separately backported. Version numbers alone therefore cannot prove that a vendor package is safe; its changelog and patch set must be checked.
Many Perl programs use fixed templates written directly into their source code. Those applications may have little or no practical exposure because an external user cannot replace the template, even when the binary data being packed or unpacked is untrusted.
Risk rises when applications construct templates dynamically from network messages, file metadata, database values, plug-in output, user-supplied configuration, or other external sources. Services that expose such behavior remotely deserve priority because a vulnerable parsing path could disclose memory without the attacker first obtaining a local account.
Security teams should search Perl code for dynamic uses of
Until a patched package is available, maintainers can reduce exposure by rejecting user-controlled templates, constraining repeat counts before template construction, and replacing dynamic formats with fixed templates where possible. Input validation should happen before Perl evaluates the template rather than relying on a later buffer-length check.
These mitigations do not replace the upstream correction. The two referenced Perl commits add the necessary overflow protections, and the CPAN Security Group says the fix is included in Perl 5.43.11.
The concrete exploit consequence documented upstream is reading heap memory past a buffer and returning it to the caller. A malformed input might also terminate a particular process on some platforms or builds, but that is not the same as demonstrating sustained or persistent denial of access to an entire component.
Administrators should therefore avoid reporting CVE-2026-57432 internally as a confirmed total-availability vulnerability without additional vendor evidence. The better-supported assessment is a memory-disclosure flaw that may also produce instability depending on how the invalid read resolves.
The CVE was reserved on June 24 and publicly disclosed on July 13, 2026. Initial vulnerability databases have shown differing or incomplete severity values, another reason to prioritize the technical preconditions and the affected application’s role over a single early score.
Organizations should now identify every Perl runtime, determine whether its distributor has applied the upstream commits, and inspect exposed applications for attacker-controlled templates. Perl 5.43.11 provides the first named fixed development release, but production Windows environments will largely depend on backported updates from Strawberry Perl, Git for Windows, MSYS2, Cygwin, ActiveState, Linux distributions used under WSL, and individual software vendors.
pack or unpack template to trigger an integer overflow and read beyond a heap buffer. Windows administrators should inventory standalone Perl installations, Git for Windows, MSYS2, Cygwin, CI runners, and developer toolchains rather than wait for Windows Update: this is an upstream Perl flaw, not a vulnerability in the Windows operating system itself.The CPAN Security Group disclosed the issue on July 13, 2026, and identifies Perl 5.43.11 as the first development release containing the fix. Microsoft subsequently listed the CVE in the MSRC Security Update Guide, but remediation depends on the distributor that supplied the Perl interpreter.
The upstream description focuses on an out-of-bounds heap read and possible exposure of process memory. Although the supplied MSRC material describes severe availability consequences, the public CPAN advisory does not establish persistent denial of service or complete resource unavailability as the vulnerability’s primary impact.
A Size Calculation Crosses the Buffer Boundary
The defect sits in S_measure_struct, an internal routine used while Perl interprets templates passed to its built-in pack and unpack functions. Those functions convert values to and from binary representations according to compact template strings, making them common in protocol handlers, file parsers, serialization code, and system utilities.When calculating a structure’s required size, the vulnerable code adds each item’s size multiplied by its repeat count to a signed
SSize_t total. A sufficiently large repeat count can overflow that total, wrapping it into a negative value instead of producing an error.Positioning directives such as
@, X, and x then make decisions using the corrupted length. Because a signed comparison can incorrectly accept the negative value, Perl may move an internal buffer pointer beyond the memory assigned to the input.The result is an out-of-bounds heap read. According to the CPAN Security Group advisory, a template derived from untrusted input can cause Perl to read memory after the legitimate buffer and return those bytes to the caller.
That distinction matters when assessing risk. An out-of-bounds read can expose fragments of heap memory belonging to the affected process, potentially including data from earlier operations, parsed requests, credentials, tokens, or other application state. Exactly what can be recovered will depend on the application, allocator behavior, process architecture, template, and surrounding heap layout.
The published weakness classifications are CWE-190, Integer Overflow or Wraparound, and CWE-125, Out-of-bounds Read. No public reporting reviewed for this disclosure demonstrates arbitrary code execution, and administrators should not automatically treat a heap read as a heap write.
Windows Does Not Need to Ship Perl for Perl to Be Present
A normal Windows 11 installation does not include a general-purpose Perl runtime, so most consumer PCs will not be directly exposed. Enterprise and developer systems are a different matter because Perl frequently arrives as part of another product or Unix-like tool environment.Git for Windows is the most prominent example. Its documentation says the full distribution includes Perl alongside Bash and other POSIX utilities required by Git workflows. Perl supports features including
git send-email and git svn, while the smaller MinGit distribution generally excludes it.Other places to check include Strawberry Perl, ActiveState distributions, MSYS2, Cygwin, application-specific runtime folders, build appliances, and Windows Subsystem for Linux distributions. WSL installations must be updated through their Linux package manager; installing a native Windows Perl update does not patch a separate interpreter inside Ubuntu, Debian, or another WSL image.
Administrators can locate interpreters visible through the current
PATH with:
Code:
where.exe perl
Get-Command perl -All
perl -v
C:\Program Files\Git\usr\bin, Strawberry Perl directories, CI agent workspaces, portable developer kits, and application-specific bin folders.Version discovery also needs context. The affected range is described as versions through 5.43.10, which encompasses supported stable branches older than the patched development build—not merely the numbered 5.43 development series shown in some abbreviated vulnerability databases.
Strawberry Perl’s latest publicly listed Windows packages at the time of disclosure are based on Perl 5.42.2 and 5.40.4. Those versions fall inside the upstream affected range unless the relevant security commits have been separately backported. Version numbers alone therefore cannot prove that a vendor package is safe; its changelog and patch set must be checked.
Exposure Depends on Who Controls the Template
The vulnerable functions are not inherently unsafe merely because an application callspack or unpack. Exploitation requires the attacker to influence a template in a way that introduces the oversized repeat count and reaches the affected sizing and positioning logic.Many Perl programs use fixed templates written directly into their source code. Those applications may have little or no practical exposure because an external user cannot replace the template, even when the binary data being packed or unpacked is untrusted.
Risk rises when applications construct templates dynamically from network messages, file metadata, database values, plug-in output, user-supplied configuration, or other external sources. Services that expose such behavior remotely deserve priority because a vulnerable parsing path could disclose memory without the attacker first obtaining a local account.
Security teams should search Perl code for dynamic uses of
pack and unpack, paying particular attention to templates containing or generating the @, X, and x position codes. A simple source search cannot prove exploitability, but it can identify applications requiring closer review.Until a patched package is available, maintainers can reduce exposure by rejecting user-controlled templates, constraining repeat counts before template construction, and replacing dynamic formats with fixed templates where possible. Input validation should happen before Perl evaluates the template rather than relying on a later buffer-length check.
These mitigations do not replace the upstream correction. The two referenced Perl commits add the necessary overflow protections, and the CPAN Security Group says the fix is included in Perl 5.43.11.
MSRC’s Availability Language Needs Careful Reading
Microsoft’s entry may cause confusion because its impact text describes total or serious loss of availability. That wording resembles a general severity definition rather than the technical account published by the Perl security team.The concrete exploit consequence documented upstream is reading heap memory past a buffer and returning it to the caller. A malformed input might also terminate a particular process on some platforms or builds, but that is not the same as demonstrating sustained or persistent denial of access to an entire component.
Administrators should therefore avoid reporting CVE-2026-57432 internally as a confirmed total-availability vulnerability without additional vendor evidence. The better-supported assessment is a memory-disclosure flaw that may also produce instability depending on how the invalid read resolves.
The CVE was reserved on June 24 and publicly disclosed on July 13, 2026. Initial vulnerability databases have shown differing or incomplete severity values, another reason to prioritize the technical preconditions and the affected application’s role over a single early score.
Organizations should now identify every Perl runtime, determine whether its distributor has applied the upstream commits, and inspect exposed applications for attacker-controlled templates. Perl 5.43.11 provides the first named fixed development release, but production Windows environments will largely depend on backported updates from Strawberry Perl, Git for Windows, MSYS2, Cygwin, ActiveState, Linux distributions used under WSL, and individual software vendors.
References
- Primary source: MSRC
Published: 2026-07-15T01:01:20-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: radar.offseq.com
CVE-2026-57432: CWE-190 Integer Overflow or Wraparound in SHAY perl - Live Threat Intelligence - Threat Radar | OffSeq.com
Detailed information about CVE-2026-57432: CWE-190 Integer Overflow or Wraparound in SHAY perl affecting SHAY perl. Get real-time updates, technical details, anradar.offseq.com - Related coverage: sources.debian.org