CVE-2026-41565: CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers
Stig Palmquist 28 May 2026 14:15 UTC
========================================================================
CVE-2026-41565 CPAN Security Group
========================================================================
CVE ID: CVE-2026-41565
Distribution: CryptX
Versions: before 0.088_001
MetaCPAN: https://metacpan.org/dist/CryptX
VCS Repo: https://github.com/DCIT/perl-CryptX
CryptX versions before 0.088_001 for Perl have a stack buffer overflow
in four AEAD decrypt_verify helpers
Description
-----------
CryptX versions before 0.088_001 for Perl have a stack buffer overflow
in four AEAD decrypt_verify helpers.
The gcm_decrypt_verify, ccm_decrypt_verify,
chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines
copied the caller-supplied authentication tag into a fixed 144-byte
stack buffer (MAXBLOCKSIZE) without checking the supplied length. A
longer tag overwrites the stack past the buffer. Version 0.088 added
the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other
three.
Any caller of an affected helper that forwards an attacker-controlled
tag longer than the buffer can trigger the overflow.
Problem types
-------------
- CWE-121 Stack-based Buffer Overflow
Solutions
---------
Upgrade to CryptX 0.088_001 or later.
References
----------
https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1.patch
https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch
https://metacpan.org/release/MIK/CryptX-0.088_001
Timeline
--------
- 2026-04-21: Issue reported.
- 2026-04-23: Version 0.088 released with fix for gcm_decrypt_verify.
- 2026-04-28: Version 0.088_001 released with fixes for the remaining
three helpers.
