Description
CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers.

The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three.

Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.
Published: 2026-05-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CryptX components before version 0.088_001 for Perl contain a stack buffer overflow in four AEAD decrypt_verify helper routines. The routines copy an authentication tag supplied by the caller into a 144‑byte stack buffer without validating the tag’s length, allowing an attacker who can supply a longer tag to overwrite adjacent stack data. This overflow can lead to corruption of the stack frame and potentially arbitrary code execution within the process, compromising confidentiality, integrity, and availability of the affected application.

Affected Systems

The vulnerability exists in all CryptX releases prior to 0.088_001, distributed by MIK under the CryptX product line for Perl. Users of the affected Perl bindings—whether through CPAN or other distribution channels—are impacted unless they have upgraded to the fixed version.

Risk and Exploitability

The CVSS score of 7.5 and EPSS score of less than 1% indicate a moderate–high severity, but the presence of a stack-based buffer overflow classifies the risk as high. The exploitation requires an attacker to supply a crafted authentication tag; thus the vulnerability is exploitable in any context where the decryption helpers are invoked with attacker-controlled input. No entry in the CISA KEV list further indicates widespread exploitation is not yet documented, yet the absence of mitigation makes it prudent to consider the risk significant.

Generated by OpenCVE AI on May 29, 2026 at 17:48 UTC.

Remediation

Vendor Solution

Upgrade to CryptX 0.088_001 or later.

OpenCVE Recommended Actions

  • Apply the vendor’s official fix by upgrading CryptX to version 0.088_001 or later.
  • If an immediate upgrade cannot be deployed, replace calls to the vulnerable helper routines with wrappers that enforce a maximum tag length of 144 bytes before copying the tag onto the stack.
  • Audit the codebase to ensure no paths can supply an authentication tag longer than the expected maximum; remove or refactor any usage of the vulnerable functions that cannot be protected by length checks.

Generated by OpenCVE AI on May 29, 2026 at 17:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Thu, 28 May 2026 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mik
Mik cryptx
Vendors & Products Mik
Mik cryptx

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers. The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three. Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.
Title CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers
Weaknesses CWE-121
References

Subscriptions

Mik Cryptx
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-29T15:53:39.530Z

Reserved: 2026-04-21T12:45:20.133Z

Link: CVE-2026-41565

cve-icon Vulnrichment

Updated: 2026-05-28T22:33:27.672Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T16:16:22.343

Modified: 2026-05-29T16:16:27.003

Link: CVE-2026-41565

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-28T14:13:19Z

Links: CVE-2026-41565 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-121

    Stack-based Buffer Overflow