Description
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.

Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
Published: 2026-04-21
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote code execution due to a memory corruption flaw in an embedded cryptographic library
Action: Immediate Upgrade
AI Analysis

Impact

The flaw originates in libtomcrypt v1.18.1 or earlier, which is bundled with Net::Dropbear Perl modules prior to 0.14. A memory corruption vulnerability (CWE-1395) in this library can allow an attacker to overwrite memory and potentially execute arbitrary code.

Affected Systems

All ATRODO Net::Dropbear installations using version 0.13 or earlier, including releases that ship Dropbear 2019.78 or earlier, are affected. These Perl modules embed the vulnerable libtomcrypt and therefore expose the weakness across the systems that rely on them.

Risk and Exploitability

No EPSS score or KEV listing is available, indicating limited publicly known exploitation data; however, the underlying memory corruption could be leveraged if an attacker can supply crafted input or has local access. The CVSS score of 10 indicates a critical level of risk, so administrators should treat the vulnerability as a high‑risk concern and prioritize remediation.

Generated by OpenCVE AI on April 21, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Net::Dropbear to 0.14 or later, which replaces the vulnerable libtomcrypt with a safe version
  • Verify that the system's libtomcrypt package has been updated to a non‑vulnerable release before installing newer Net::Dropbear modules
  • Apply any vendor‑supplied security patches for the Perl environment and monitor for additional advisory updates

Generated by OpenCVE AI on April 21, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Atrodo net\
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:atrodo:net\:\:dropbear:*:*:*:*:*:perl:*:*
Vendors & Products Atrodo net\

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Atrodo
Atrodo net::dropbear
Vendors & Products Atrodo
Atrodo net::dropbear

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt. Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
Title Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt
Weaknesses CWE-1395
References

Subscriptions

Atrodo Net::dropbear Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-21T16:23:17.147Z

Reserved: 2026-04-20T12:20:50.153Z

Link: CVE-2025-15638

cve-icon Vulnrichment

Updated: 2026-04-21T16:23:11.845Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T16:16:19.030

Modified: 2026-04-22T17:35:37.783

Link: CVE-2025-15638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:18Z

Weaknesses