Description
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.

Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
Published: 2026-04-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability resides in the legacy libtomcrypt library bundled within Net::Dropbear Perl modules before 0.14. When used, a memory corruption flaw (CWE-1395) in that library can occur upon processing certain cryptographic inputs, potentially allowing an attacker to overwrite memory and execute arbitrary code within the context of the module.

Affected Systems

All Net::Dropbear Perl packages released by ATRODO with versions earlier than 0.14 are affected. These modules embed Dropbear 2019.78 or older releases that contain libtomcrypt v1.18.1 or earlier. Consequently, any system running these specific Perl modules that interacts with Dropbear is at risk.

Risk and Exploitability

The CVSS score of 10 denotes a critical risk level, while the EPSS score of less than 1 % indicates a very low but non‑zero likelihood of exploitation. KEV lists the vulnerability as not known to be exploited in the wild. Based on the type of library and that Net::Dropbear typically serves as an SSH‑style server, the likely attack vector is an attacker sending crafted cryptographic data over a network connection; the severity remains high if exploitation succeeds. This attack vector is inferred, not explicitly stated in the provided description.

Generated by OpenCVE AI on April 28, 2026 at 16:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Net::Dropbear to 0.14 or later, which replaces the vulnerable libtomcrypt with a secure version.
  • If separate libtomcrypt packages are installed, update them to a non‑vulnerable release before or concurrently with the Net::Dropbear upgrade.
  • Apply any available patches to the Perl environment and stay informed of vendor advisories; monitor for further remediation.

Generated by OpenCVE AI on April 28, 2026 at 16:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Atrodo net\
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:atrodo:net\:\:dropbear:*:*:*:*:*:perl:*:*
Vendors & Products Atrodo net\

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Atrodo
Atrodo net::dropbear
Vendors & Products Atrodo
Atrodo net::dropbear

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
Title Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt
Weaknesses CWE-1395
References

Subscriptions

Atrodo Net::dropbear Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-21T16:23:17.147Z

Reserved: 2026-04-20T12:20:50.153Z

Link: CVE-2025-15638

cve-icon Vulnrichment

Updated: 2026-04-21T16:23:11.845Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T16:16:19.030

Modified: 2026-04-22T17:35:37.783

Link: CVE-2025-15638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses