CVE-2026-5086: Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks

CVE-2026-5086: Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks Robert Rothenberg 13 Apr 2026 22:57 UTC

========================================================================
CVE-2026-5086                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-5086
   Distribution:  Crypt-SecretBuffer
       Versions:  before 0.019

       MetaCPAN:  https://metacpan.org/dist/Crypt-SecretBuffer
       VCS Repo: https://github.com/nrdvana/perl-Crypt-SecretBuffer

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to
timing attacks

Description
-----------
Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to
timing attacks.

For example, if Crypt::SecretBuffer was used to store and compare
plaintext passwords, then discrepencies in timing could be used to
guess the secret password.

Problem types
-------------
- CWE-208 Observable Timing Discrepancy

Solutions
---------
Upgrade to version 0.019 or later.

References
----------
https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes