Inadequate PRNG Reseeding in CryptX Affects Perl Products
CVE-2026-41564

Currently unrated

Key Information:

Vendor

Mik

Status
Cryptx
Vendor
CVE Published:
23 April 2026

What is CVE-2026-41564?

CryptX, particularly versions prior to 0.088 for Perl, demonstrates a critical vulnerability in its implementation of the Pseudorandom Number Generator (PRNG) across its lightweight cryptographic modules like Crypt::PK::RSA, Crypt::PK::DSA, and others. The modules fail to reinitialize the PRNG state when a process forks, leading to identical random outputs for all child processes. This behavior severely compromises cryptographic operations, such as key generation, and can enable attackers to exploit nonce reuse and recover private signing keys. Services utilizing preforking architectures, such as the Starman web server, are particularly at risk since shared Crypt::PK::* objects retain byte-identical states across processes.

Affected Version(s)

CryptX 0 < 0.088

References

https://github.com/DCIT/perl-CryptX/security/advisories/G...
vendor-advisory
https://github.com/DCIT/perl-CryptX/commit/9a1dd3e0c27d68...
patch
https://metacpan.org/release/MIK/CryptX-0.088
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.