๐Ÿ” CVE Alert

CVE-2026-57433

CRITICAL 9.8

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record

CVSS Score
9.8
EPSS Score
0.2%
EPSS Percentile
7th

Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and calls av_extend with that count plus one. A count of I32_MAX wraps the addition to a negative value. A crafted blob passed to thaw or retrieve triggers the overflow; av_extend receives the negative count and dies with a panic, terminating the deserialization.

CWE CWE-190
Vendor haarg
Product storable
Published Jul 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for haarg storable

Be the first to know when new critical vulnerabilities affecting haarg storable are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

HAARG / Storable
0 < 3.41

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/Perl/perl5/commit/e4f681784bcdeaa91ff02a2fa4cdcae5c46779d7.patch openwall.com: http://www.openwall.com/lists/oss-security/2026/07/13/7