Heap Buffer Overflow in Perl's Crypt::SysRandom::XS by Leont
CVE-2026-2597

7.5HIGH

Key Information:

Vendor: Leont
Status: Crypt::sysrandom::xs
Vendor: CVE Published:; 26 February 2026

What is CVE-2026-2597?

The Crypt::SysRandom::XS module for Perl versions prior to 0.010 contains a vulnerability where the XS function random_bytes() does not validate its length parameter. Supplying a negative value can lead to integer overflow, resulting in a zero-byte allocation. This causes the application to invoke randomness functions with excessive memory requirements, potentially leading to heap memory corruption and application instability. While typical usage involves hardcoded length values, applications that utilize untrusted inputs may be at risk of denial of service through this exploit.

Affected Version(s)

Crypt::SysRandom::XS 0 < 0.010

References

https://metacpan.org/dist/Crypt-SysRandom-XS/changes

release-notes

https://metacpan.org/release/LEONT/Crypt-SysRandom-XS-0.0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-2597 Data

JSON