CVE-2026-2588: Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems

CVE-2026-2588: Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems Timothy Legge 22 Feb 2026 23:33 UTC


========================================================================
CVE-2026-2588                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-2588
   Distribution:  Crypt-NaCl-Sodium
       Versions:  through 2.001

       MetaCPAN:  https://metacpan.org/dist/Crypt-NaCl-Sodium
       VCS Repo:  https://github.com/cpan-authors/crypt-nacl-sodium

Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer
overflow flaw on 32-bit systems

Description
-----------
Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer
overflow flaw on 32-bit systems.

Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a
length pointer to libsodium functions.	On 32-bit systems size_t is
typically 32-bits while an unsigned long long is at least 64-bits.

Problem types
-------------
- CWE-190 Integer Overflow or Wraparound

Solutions
---------
Upgrade to version 2.002

References
----------
https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119
https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch
https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch

Credits
-------
Timothy Legge (timlegge), finder