Description
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function.

pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer.

Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

List::SomeUtils::XS versions before 0.59 for Perl contain a heap buffer overflow in the pairwise function. The function allocates a heap buffer sized to the longer input array and then expands it with a single quadrupling operation each time data is copied. If the block supplied to pairwise returns more than four times the length of the longest input array in one invocation, the buffer grows too small and a memcpy copy writes beyond its bounds, corrupting heap memory. This corruption can cause program crashes or other unstable behavior.

Affected Systems

Any Perl installation that loads List::SomeUtils::XS before version 0.59 and invokes the pairwise function is impacted. Systems using versions 0.58 and earlier must check for the exact module version, as these releases carry the flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates moderate to high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a caller to invoke pairwise with a block that returns a very large value, so the risk is more pronounced in environments where untrusted code can construct such calls. While the primary impact is heap corruption leading to possible denial of service, more advanced exploitation could arise if the corrupted memory is leveraged for arbitrary code execution, though such a scenario is not confirmed.

Generated by OpenCVE AI on June 25, 2026 at 20:53 UTC.

Remediation

Vendor Solution

Upgrade to List::SomeUtils::XS 0.59 or later.


OpenCVE Recommended Actions

  • Upgrade List::SomeUtils::XS to version 0.59 or later.
  • Refactor any pairwise calls so that the block never returns more than four times the longest input array length.
  • If an upgrade cannot be performed immediately, replace pairwise with a custom implementation that performs explicit bounds checking before copying data.

Generated by OpenCVE AI on June 25, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Drolsky
Drolsky list::someutils::xs
Vendors & Products Drolsky
Drolsky list::someutils::xs

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
Title List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function
Weaknesses CWE-122
CWE-787
References

Subscriptions

Drolsky List::someutils::xs
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-25T19:35:16.577Z

Reserved: 2026-06-21T21:38:59.795Z

Link: CVE-2026-12844

cve-icon Vulnrichment

Updated: 2026-06-25T19:35:16.577Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:36:59Z

Weaknesses