GHSA-P6F4-6QXG-8XQV

Vulnerability from github – Published: 2026-03-29 03:30 – Updated: 2026-03-31 21:31
VLAI?
Details

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.

GRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.

read_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()

$arg .= '$VAR1'; my $val = eval "no strict; $arg"; # line 40-41

$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:

$VAR1 = do { system("..."); };

This executes on the client silently on every RPC call, as the return values remain correct.

This functionality is by design but the trust requirement for the remote host is not documented in the distribution.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2026-4851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-29T01:15:56Z",
    "severity": "CRITICAL"
  },
  "details": "GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization.\n\nGRID::Machine provides Remote Procedure Calls (RPC) over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary code back on the client through unsafe deserialization in the RPC protocol.\n\nread_operation() in lib/GRID/Machine/Message.pm deserialises values from the remote side using eval()\n\n  $arg .= \u0027$VAR1\u0027;\n  my $val = eval \"no strict; $arg\"; # line 40-41\n\n$arg is raw bytes from the protocol pipe. A compromised remote host can embed arbitrary perl in the Dumper-formatted response:\n\n  $VAR1 = do { system(\"...\"); };\n\nThis executes on the client silently on every RPC call, as the return values remain correct.\n\nThis functionality is by design but the trust requirement for the remote host is not documented in the distribution.",
  "id": "GHSA-p6f4-6qxg-8xqv",
  "modified": "2026-03-31T21:31:18Z",
  "published": "2026-03-29T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4851"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/03/26/6"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/03/26/6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.