Description
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes().

The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).

In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Heap Buffer Overflow
Action: Apply patch
AI Analysis

Impact

Crypt::SysRandom::XS versions before 0.010 do not check that the requested byte length is non‑negative. Supplying a negative value causes an integer wraparound, allocating a zero‑byte buffer while a large unsigned value is later used for the actual data request. This results in memory writes beyond the allocated heap space, corrupting adjacent data and typically crashing the application. The impact is a denial of service.

Affected Systems

The vulnerability affects the Crypt::SysRandom::XS module distributed by LEONT for Perl. All releases older than version 0.010 are susceptible. Most deployments use hard‑coded length arguments, which reduces the chance of exploitation, but any Perl application that forwards untrusted input to the random_bytes() function is potentially impacted.

Risk and Exploitability

The CVSS score is 7.5, qualifying as High severity. The EPSS score is reported as less than 1%, indicating a very low probability of observation, and the flaw is not yet listed in the CISA KEV catalog. The likely attack vector is application‑level, requiring that the user process or a component passing untrusted data to random_bytes() can supply a negative value. Although exploitation is not trivial, a successful trial would lead to a crash.

Generated by OpenCVE AI on April 18, 2026 at 10:20 UTC.

Remediation

Vendor Solution

Update to version 0.010 or later

OpenCVE Recommended Actions

  • Apply the vendor‑supplied fix by upgrading Crypt::SysRandom::XS to version 0.010 or newer
  • Ensure all callers validate the length parameter to be non‑negative before invoking random_bytes()
  • If an upgrade is not immediately possible, disable or replace the module with a safer random‑byte routine and monitor for crash symptoms

Generated by OpenCVE AI on April 18, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Leont crypt\
CPEs cpe:2.3:a:leont:crypt\:\:sysrandom\:\:xs:*:*:*:*:*:perl:*:*
Vendors & Products Leont crypt\

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Leont
Leont crypt::sysrandom::xs
Vendors & Products Leont
Leont crypt::sysrandom::xs

Thu, 26 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
Title Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes()
Weaknesses CWE-122
CWE-1284
References

Subscriptions

Leont Crypt::sysrandom::xs Crypt\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-02-27T18:50:46.353Z

Reserved: 2026-02-16T20:27:02.194Z

Link: CVE-2026-2597

cve-icon Vulnrichment

Updated: 2026-02-27T18:50:24.429Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T00:16:58.587

Modified: 2026-03-03T19:35:46.163

Link: CVE-2026-2597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses