Description
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.

For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.
Published: 2026-04-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Timing attack reveals secrets
Action: Patch
AI Analysis

Impact

Versions of Crypt::SecretBuffer prior to 0.019 allow measurable timing differences during secret comparisons. An attacker can exploit these non‑constant‑time operations to infer passwords or other sensitive data, compromising confidentiality. The weakness corresponds to the common software defect in which comparisons depend on data value, classified as CWE‑208.

Affected Systems

The Vulnerable component is the NERDVANA Crypt::SecretBuffer Perl module. All releases older than version 0.019 contain the flaw and are susceptible while the module is used to store or compare secrets.

Risk and Exploitability

Based on the description, the likely attack vector involves an attacker triggering the module locally or observing its execution timing, requiring moderate skill and repeated trials to mount a successful timing attack. The vulnerability has a CVSS score of 7.5 and an EPSS score of <1%, indicating high severity but a very low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The overall risk is significant for applications relying on this module for password handling.

Generated by OpenCVE AI on April 16, 2026 at 02:35 UTC.

Remediation

Vendor Solution

Upgrade to version 0.019 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::SecretBuffer to version 0.019 or later
  • Replace usage of the module in password comparison with a constant‑time comparison routine from a vetted library (e.g., Digest::SHA or Crypt::VerifyPassword) as a temporary measure if immediate upgrade is not possible
  • Conduct a code review and penetration testing focused on timing side channels for authentication logic to ensure no other vulnerable comparisons remain

Generated by OpenCVE AI on April 16, 2026 at 02:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Nerdvana crypt\
CPEs cpe:2.3:a:nerdvana:crypt\:\:secretbuffer:*:*:*:*:*:perl:*:*
Vendors & Products Nerdvana crypt\

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Nerdvana
Nerdvana crypt::secretbuffer
Vendors & Products Nerdvana
Nerdvana crypt::secretbuffer

Tue, 14 Apr 2026 02:30:00 +0000

Type Values Removed Values Added
References

Mon, 13 Apr 2026 23:00:00 +0000

Type Values Removed Values Added
Description Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.
Title Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks
Weaknesses CWE-208
References

Subscriptions

Nerdvana Crypt::secretbuffer Crypt\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-15T20:03:28.442Z

Reserved: 2026-03-28T19:22:27.564Z

Link: CVE-2026-5086

cve-icon Vulnrichment

Updated: 2026-04-14T01:34:38.681Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T23:16:27.990

Modified: 2026-05-06T17:16:49.683

Link: CVE-2026-5086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T02:45:06Z

Weaknesses