CVE-2026-2474: Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom()
Stig Palmquist 16 Feb 2026 20:59 UTC
========================================================================
CVE-2026-2474 CPAN Security Group
========================================================================
CVE ID: CVE-2026-2474
Distribution: Crypt-URandom
Versions: from 0.41 before 0.55
MetaCPAN: https://metacpan.org/dist/Crypt-URandom
VCS Repo: https://github.com/david-dick/crypt-urandom
Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to
a heap buffer overflow in the XS function crypt_urandom_getrandom()
Description
-----------
Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to
a heap buffer overflow in the XS function crypt_urandom_getrandom().
The function does not validate that the length parameter is
non-negative. If a negative value (e.g. -1) is supplied, the expression
length + 1u causes an integer wraparound, resulting in a zero-byte
allocation. The subsequent call to getrandom(data, length,
GRND_NONBLOCK) passes the original negative value, which is implicitly
converted to a large unsigned value (typically SIZE_MAX). This can
result in writes beyond the allocated buffer, leading to heap memory
corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the
caller, which reduces the likelihood of attacker-controlled
exploitation. Applications that pass untrusted input to this parameter
may be affected.
Problem types
-------------
- CWE-122 Heap-based Buffer Overflow
- CWE-1284 Improper Validation of Specified Quantity in Input
Solutions
---------
Update to version 0.55 or later
References
----------
https://metacpan.org/release/DDICK/Crypt-URandom-0.55/source/Changes
https://metacpan.org/release/DDICK/Crypt-URandom-0.54/source/URandom.xs#L35-79
