Description
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.

When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.

Secrets generated in multiprocess applications are predictable across processes.
Published: 2026-06-26
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a predictable random number generator flaw that allows identical random streams to be produced across forked processes when a Bytes::Random::Secure::Tiny object is initialized before the fork. As a result, secrets or tokens generated by the affected module become deterministic and can be predicted by an adversary. This weakness is classified as CWE-335.

Affected Systems

Vendors affected by this issue include DAVIDO, specifically the Bytes::Random::Secure::Tiny Perl module. All releases up through version 1.011 are impacted, meaning any installation of the module at these or earlier versions is vulnerable.

Risk and Exploitability

Because the flaw leads to predictable secrets, it can be exploited in any environment where the module is used in a multiprocess or forked context. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but its potential to compromise sensitive data suggests a significant confidentiality risk. An attacker who can control or observe forked processes may predict random values, leak credentials, or undermine cryptographic protocols that rely on this module.

Generated by OpenCVE AI on June 26, 2026 at 09:20 UTC.

Remediation

Vendor Workaround

Apply the patch, if possible. Otherwise, ensure that the object is only instantiated in a child process after forking. Alternatively, use a different module such as Crypt::PRNG, Crypt::SysRandom or Crypt::URandom.

OpenCVE Recommended Actions

  • Apply the vendor’s patch for Bytes::Random::Secure::Tiny.
  • Reinitialize the module only after the fork has completed, ensuring each process creates its own PRNG state.
  • If the current environment cannot be immediately patched, replace the module with a cryptographically secure alternative such as Crypt::PRNG, Crypt::SysRandom, or Crypt::URandom.

Generated by OpenCVE AI on June 26, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes.
Title Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
Weaknesses CWE-335
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-26T08:13:56.386Z

Reserved: 2026-06-08T22:09:13.472Z

Link: CVE-2026-11702

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:30:16Z

Weaknesses
  • CWE-335

    Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)