CVE-2026-2597: Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes()
Timothy Legge 26 Feb 2026 23:31 UTC
========================================================================
CVE-2026-2597 CPAN Security Group
========================================================================
CVE ID: CVE-2026-2597
Distribution: Crypt-SysRandom-XS
Versions: before 0.010
MetaCPAN: https://metacpan.org/dist/Crypt-SysRandom-XS
VCS Repo: https://github.com/Leont/crypt-sysrandom-xs
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a
heap buffer overflow in the XS function random_bytes()
Description
-----------
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a
heap buffer overflow in the XS function random_bytes().
The function does not validate that the length parameter is
non-negative. If a negative value (e.g. -1) is supplied, the expression
length + 1u causes an integer wraparound, resulting in a zero-byte
allocation. The subsequent call to chosen random function (e.g.
getrandom) passes the original negative value, which is implicitly
converted to a large unsigned value (typically SIZE_MAX). This can
result in writes beyond the allocated buffer, leading to heap memory
corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the
caller, which reduces the likelihood of attacker-controlled
exploitation. Applications that pass untrusted input to this parameter
may be affected.
Problem types
-------------
- CWE-122 Heap-based Buffer Overflow
- CWE-1284 Improper Validation of Specified Quantity in Input
Solutions
---------
Update to version 0.010 or later
References
----------
https://metacpan.org/dist/Crypt-SysRandom-XS/changes
https://metacpan.org/release/LEONT/Crypt-SysRandom-XS-0.011/source/lib/Crypt/SysRandom/XS.xs#L51-52
