Description
Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery.

Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it.

The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r".

Keys used to sign more than once with an affected version should be considered compromised.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crypt::DSA versions prior to 1.21 reused the same per-signature nonce for every call to sign(), causing the DSA parameter 'r' to be identical across signatures. Because each new signature uses the same nonce, an observer who has access to two signatures from the same key can mathematically recover the private signing key. This vulnerability directly violates the DSA security model and leads to a total compromise of cryptographic credentials, categorized as CWE‑323.

Affected Systems

Perl installations that rely on the TIMLEGGE Crypt::DSA module and deploy a version older than 1.21 are vulnerable. Any environment that performed two or more signatures with a single Key object is at risk, as Crypt::DSA was deprecated in 1.20 and users should have moved away from it before this flaw was addressed. Consequently, all releases of Crypt::DSA from 1.0 up to but not including 1.21 are impacted.

Risk and Exploitability

The documented CVSS score of 9.1 marks the issue as critically severe, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of this assessment. The flaw is not listed in the CISA KEV catalog. exploitation requires that an attacker can obtain two signatures produced by the same Key object; this is usually possible when an application performs multiple signatures locally or an attacker can influence the signing process. Once two such signatures are observed, the private key can be derived, giving the attacker full control over all future signatures and a complete breach of integrity and authenticity for any data signed with the compromised key.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Remediation

Vendor Solution

Upgrade to version 1.21 Revoke any keys that may have been compromised. Crypt::DSA was deprecated in version 1.20. You should migrate to another solution.


OpenCVE Recommended Actions

  • Upgrade to Crypt::DSA 1.21 or later.
  • Revoke any DSA keys that may have been used to sign more than once with an affected version.
  • Migrate away from the deprecated Crypt::DSA module to a supported cryptographic library such as Crypt::OpenSSL::DSA or similar.

Generated by OpenCVE AI on June 17, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Timlegge
Timlegge crypt::dsa
Vendors & Products Timlegge
Timlegge crypt::dsa

Mon, 15 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
References

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r". Keys used to sign more than once with an affected version should be considered compromised.
Title Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery
Weaknesses CWE-323
References

Subscriptions

Timlegge Crypt::dsa
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-16T16:13:32.533Z

Reserved: 2026-06-14T12:07:30.610Z

Link: CVE-2026-12205

cve-icon Vulnrichment

Updated: 2026-06-15T22:44:28.639Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T23:16:43.150

Modified: 2026-06-16T17:16:32.480

Link: CVE-2026-12205

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-15T21:57:18Z

Links: CVE-2026-12205 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:00:04Z

Weaknesses
  • CWE-323

    Reusing a Nonce, Key Pair in Encryption