DSA Signing Vulnerability in Crypt::DSA for Perl Software
CVE-2026-14570

Currently unrated

Key Information:

Vendor

Timlegge

Vendor
CVE Published:
5 July 2026

What is CVE-2026-14570?

The Crypt::DSA library for Perl versions prior to 1.22 contains a significant vulnerability that may compromise private keys. The issue stems from the DSA signing nonce and private key being generated using a biased random number generator. Specifically, the high bit of values produced by the function Crypt::DSA::Util::makerandom is fixed, which creates a non-uniform distribution of generated values. This flaw enables an attacker to recover private keys after collecting a small number of signatures associated with the affected key, leveraging lattice attack techniques. Users of vulnerable versions are strongly advised to generate new keys immediately and upgrade to the latest version to ensure the security of their applications.

Affected Version(s)

Crypt::DSA 0 < 1.22

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.