Description
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input.

bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses.

A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::BitTorrent for Perl decodes bencoded data by recursing once for each nested list or dictionary without imposing any depth limit; each recursive call passes the remaining buffer by value, so every active stack frame keeps a copy of the shrinking input, resulting in quadratic memory growth (O(N ²)). A crafted payload with roughly 150 000 nested lists—about 150 KB on the wire—drives peak memory consumption into the multiple gigabyte range, which can crash or severely degrade the client. This flaw exemplifies uncontrolled resource consumption (CWE‑400) and uncontrolled recursion (CWE‑674).

Affected Systems

All releases of SANKO Net::BitTorrent through version 2.0.1 are affected. Because the decoder processes every untrusted bencode source—including .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses—any client that incorporates this module is vulnerable regardless of its deployment environment.

Risk and Exploitability

The flaw is a classic remote memory exhaustion vulnerability. The decoder operates on any untrusted bencoded input, so an attacker can trigger it by sending a single deeply nested payload from any peer, or by delivering a crafted .torrent file or magnet link. Based on the description, it is inferred that exploitation requires only that the client receive the payload; no special privileges or additional setup are needed. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, but the severe resource exhaustion and lack of mitigation mean that the risk remains high; the CVSS score of 7.5 confirms a high severity.

Generated by OpenCVE AI on June 30, 2026 at 16:52 UTC.

Remediation

Vendor Workaround

There is no fixed release. Cap the bencode nesting depth (libtorrent rejects beyond about 100 levels) and decode without copying the buffer remainder at each level.


OpenCVE Recommended Actions

  • Configure the bdecode routine to enforce a maximum nesting depth of approximately 100 levels before decoding any bencoded data.
  • Modify the decoder so that it does not copy the remaining buffer on each recursive call, thereby reducing per‑frame memory usage.
  • Pre‑validate every incoming .torrent file, BEP09 metadata, DHT message, and tracker response; reject or truncate any payload that exceeds the established depth limit before passing it to the decoder.
  • Monitor SANKO Net::BitTorrent security advisories and upgrade to a patched release when one is made available.

Generated by OpenCVE AI on June 30, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.
Title Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input
Weaknesses CWE-400
CWE-674
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-30T15:04:17.344Z

Reserved: 2026-06-23T18:20:33.514Z

Link: CVE-2026-57081

cve-icon Vulnrichment

Updated: 2026-06-30T15:04:00.752Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:00:06Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-674

    Uncontrolled Recursion