Random Stream Predictability in Bytes::Random::Secure::Tiny by Perl
CVE-2026-11702

Currently unrated

Key Information:

Vendor

Davido

Status
Bytes::random::secure::tiny
Vendor
CVE Published:
26 June 2026

What is CVE-2026-11702?

The Bytes::Random::Secure::Tiny module for Perl has a vulnerability that arises when internal state is shared across forked processes. Specifically, if an instance of the object is initialized prior to forking, it causes all child processes to share the same internal state of the pseudo-random number generator (PRNG). This leads to predictable random streams in multiprocess applications, making sensitive data like secrets susceptible to exposure. When using this module, developers should avoid pre-fork initialization or upgrade to patched versions to ensure secure random number generation.

Affected Version(s)

Bytes::Random::Secure::Tiny 0 <= 1.011

References

https://github.com/daoswald/Bytes-Random-Secure-Tiny/issu...
issue-tracking
https://github.com/daoswald/Bytes-Random-Secure-Tiny/pull/7
issue-tracking
https://security.metacpan.org/patches/B/Bytes-Random-Secu...
patch

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.