CVE-2026-12844

HIGH 7.5

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.

CWE	CWE-787 CWE-122
Vendor	drolsky
Product	list::someutils::xs
Published	Jun 25, 2026
Last Updated	Jun 25, 2026

Stay Ahead of the Next One

Get instant alerts for drolsky list::someutils::xs

Be the first to know when new high vulnerabilities affecting drolsky list::someutils::xs are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

DROLSKY / List::SomeUtils::XS

0 < 0.59

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/houseabsolute/List-SomeUtils-XS/commit/22549f78669b780d6aa338a2d2e49a3dedfffaa6.patch metacpan.org: https://metacpan.org/release/DROLSKY/List-SomeUtils-XS-0.59/changes openwall.com: http://www.openwall.com/lists/oss-security/2026/06/25/11