VIR Vulnerability Intelligence Relay

CVE-2026-11526

unknown
Published 2026-06-14 Β· Modified 2026-06-14
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
β€”

Description

GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle. GD::Image::_make_filehandle opens a filename argument with Perl's 2-arg open(), so a filename that begins or ends with a pipe ("| cmd", "cmd |") or begins with a redirect ("> path", ">> path") is run as a command or redirect rather than opened as a file. _make_filehandle is the single open path behind every filename-accepting constructor (new, newFromPng, newFromJpeg, and the rest); the in-memory *Data variants do not open a path and are unaffected. Any caller that forwards untrusted input to one of these constructors as a pathname can run an arbitrary command or truncate a file under the process UID.

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker Β· View original β†— Β· DFSG

CVE-2026-11526 NameCVE-2026-11526 SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus libgd-perl (PTS)bullseye2.73-1vulnerable bookworm2.76-4vulnerable…

CVE-2026-11526

NameCVE-2026-11526
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libgd-perl (PTS)bullseye2.73-1vulnerable
bookworm2.76-4vulnerable
trixie2.78-1vulnerable
forky2.84-2vulnerable
sid2.84-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libgd-perlsource(unstable)2.84-3

Notes

Fixed by: https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210 (v2.86)

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
Fixed by: https://github.com/lstein/Perl-GD/commit/67b163713c6c78dfeb693da0978ae934e5cd8210 (v2.86)

OS impact
debian Debian Mixed 5 releases
VersionStatusFixed in
trixie Affected β€”
sid Fixed 2.84-3
forky Fixed 2.84-3
bullseye Affected β€”
bookworm Affected β€”

References

CWEs

CWE-73 CWE-78

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.