Description
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.

The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.

Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.
Published: 2026-06-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability exists in Net::BitTorrent versions up to 2.0.1 for Perl where the peer-wire framing routine accepts a 4-byte length prefix without imposing any bound. The receiving routine concatenates all inbound bytes to a buffer and delays decoding until the full length advertised by the peer is available. This flaw, classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Memory Leak or Unbounded Memory Usage), allows an attacker to advertise a length near 4 GiB, prompting the process to allocate an equivalent buffer and consume large amounts of memory. This unverified length field can be exploited by any unauthenticated peer in a swarm and can cause the BitTorrent client to exhaust available memory, potentially crash or become unresponsive, thereby denying service to legitimate users.

Affected Systems

The affected product is Net::BitTorrent, a Perl module used to build BitTorrent clients, with all releases through version 2.0.1 vulnerable. No specific patch version is currently provided by the CNA; the module remains compromised until a fixed release is issued by SANKO.

Risk and Exploitability

The attack vector is remote, via the peer-wire protocol used by BitTorrent peers. Because peer connections are unauthenticated, any malicious peer can initiate the attack. The exploit requires no special privileges or additional software beyond a standard BitTorrent client. The CVSS score of 7.5 denotes a high severity, and combined with no EPSS score or KEV entry, the lack of mitigation mechanisms in the library and the potential for large memory consumption make this a high‑risk denial‑of‑service flaw.

Generated by OpenCVE AI on June 30, 2026 at 15:39 UTC.

Remediation

Vendor Workaround

There is no fixed release. Reject a peer-wire message length above a sane maximum (well above the 16 KiB largest legitimate message) and disconnect the peer instead of buffering unboundedly.


OpenCVE Recommended Actions

  • Modify the Net::BitTorrent code to reject any peer‑wire message length exceeding a sane limit such as 16 KiB and immediately terminate the connection for oversized messages.
  • After disconnecting an offending peer, promptly restart or reload the BitTorrent process to free any residual memory allocation.
  • Monitor the process memory footprint and set alert thresholds; schedule automatic restarts if usage approaches capacity, and track SANKO for any future release that fixes the overflow flaw.

Generated by OpenCVE AI on June 30, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Sanko
Sanko net::bittorrent
Vendors & Products Sanko
Sanko net::bittorrent

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.
Title Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix
Weaknesses CWE-400
CWE-770
References

Subscriptions

Sanko Net::bittorrent
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-30T13:48:44.549Z

Reserved: 2026-06-23T18:20:33.514Z

Link: CVE-2026-57080

cve-icon Vulnrichment

Updated: 2026-06-30T13:48:30.630Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:01:56Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-770

    Allocation of Resources Without Limits or Throttling