Cyber Resilience

CVE-2017-20230

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0064 46.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2017-20230 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Nwclark Storable. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2017-20230 is a stack overflow vulnerability in Storable versions before 3.05 for Perl. The retrieve_hook function stores the length of the class name into a signed integer but treats the length as unsigned during read operations, enabling an attacker to craft data that triggers the overflow. This issue is classified under CWE-121 (Stack-based Buffer Overflow) and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability by supplying specially crafted Storable data to an application that deserializes it using affected versions. Exploitation requires no privileges or user interaction and changes scope, potentially allowing full system compromise with high impacts on confidentiality, integrity, availability, and execution of arbitrary code via the stack overflow.

Advisories recommend upgrading to Storable 3.05 or later, as documented in the release changes on MetaCPAN. A fixing patch is provided in the Perl 5 GitHub repository at commit a258c17c6937f79529c8319a829310e09cdbd216, with related discussions in Perl porters mailing list archives from January 2017 and the Perl 5 issue tracker.

EU & UK References

Vulnerability details

Storable versions before 3.05 for Perl has a stack overflow. The retrieve_hook function stored the length of the class name into a signed integer but in read operations treated the length as unsigned. This allowed an attacker to craft data…

more

that could trigger the overflow.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated stack overflow in Perl Storable deserialization directly enables exploitation of public-facing applications for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-38422Shared CWE-121
CVE-2025-11783Shared CWE-121
CVE-2025-54491Shared CWE-121
CVE-2024-39359Shared CWE-121
CVE-2026-42469Shared CWE-121
CVE-2020-37159Shared CWE-121
CVE-2024-39603Shared CWE-121
CVE-2024-36258Shared CWE-121
CVE-2024-51138Shared CWE-121
CVE-2025-69763Shared CWE-121

Affected Assets

nwclark
storable
≤ 3.05

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the stack overflow flaw in Storable by applying patches or upgrading to version 3.05 or later.

prevent

Implements memory protections like stack canaries, ASLR, or non-executable stacks to mitigate exploitation of the stack-based buffer overflow during deserialization.

prevent

Validates specially crafted Storable input data before deserialization to block unsigned integer length mismatches that trigger the overflow.

References