Description
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG.

The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw.

A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.
Published: 2026-06-30
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Net::BitTorrent generates its MSE Diffie‑Hellman private key from Perl's non‑cryptographic rand(), a predictably seeded drand48‑style generator. Because the handshake includes cleartext padding derived from the same PRNG, an observer can recover the PRNG state, reconstruct the private key and compute the shared secret from the peer’s public key. The derived RC4 keys and the encrypted channel can therefore be decrypted, giving an attacker full confidentiality of the MSE protected traffic. The CWE identifiers CWE‑330 (Use of Non‑cryptographic Random Number Generator) and CWE‑338 (Insufficient Entropy) describe this weakness.

Affected Systems

SankO's Net::BitTorrent library, all versions through 2.0.1 for Perl, when used to encrypt peer connections with MSE. Any installation of these affected versions is vulnerable to passive traffic analysis.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. The attack requires only passive observation of the MSE handshake and no privileged access, and it directly compromises the confidentiality of all encrypted traffic.

Generated by OpenCVE AI on June 30, 2026 at 16:52 UTC.

Remediation

Vendor Workaround

There is no fixed release. Draw the Diffie-Hellman private key and the handshake padding from a cryptographic source such as Crypt::URandom rather than rand().


OpenCVE Recommended Actions

  • Reconfigure Net::BitTorrent to generate the private key and handshake padding with a cryptographic PRNG such as Crypt::URandom instead of Perl's rand().
  • Modify KeyExchange.pm to replace the rand() calls or remove the publicly sent padding that leaks the PRNG state.
  • Place Net::BitTorrent traffic behind a firewall or add an additional TLS layer so that a passive observer cannot see the MSE handshake.

Generated by OpenCVE AI on June 30, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG. The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in _random_pad, immediately after the public key and the private-key draw. A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.
Title Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG
Weaknesses CWE-330
CWE-338
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-06-30T14:20:32.388Z

Reserved: 2026-06-23T18:20:33.514Z

Link: CVE-2026-57082

cve-icon Vulnrichment

Updated: 2026-06-30T14:19:42.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:00:06Z

Weaknesses
  • CWE-330

    Use of Insufficiently Random Values

  • CWE-338

    Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)