Stack Buffer Overflow in CryptX for Perl Affects Multiple Decrypt Verify Helpers
CVE-2026-41565

7.5HIGH

Key Information:

Vendor

Mik

Status
Cryptx
Vendor
CVE Published:
28 May 2026

What is CVE-2026-41565?

A stack buffer overflow vulnerability exists in CryptX versions prior to 0.088_001 for Perl, specifically affecting four AEAD decrypt_verify helper routines: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. These routines erroneously copy the caller-supplied authentication tag into a fixed-size 144-byte stack buffer without validating the length of the supplied tag. If an attacker provides a longer tag than the buffer can accommodate, it leads to an overflow, potentially allowing the attacker to manipulate the stack and execute arbitrary code. The vulnerability was addressed in version 0.088 with the addition of a length check for gcm_decrypt_verify, and this was further reinforced in version 0.088_001 for the remaining routines.

Affected Version(s)

CryptX 0 < 0.088_001

References

https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718...
patch
https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf...
patch
https://metacpan.org/release/MIK/CryptX-0.088_001
release-notes

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.