Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Perl's Crypt::SysRandom::XS can crash if given a negative length
CVE-2026-2597
Summary
A critical issue in Perl's Crypt::SysRandom::XS module can cause it to crash if it receives a negative value for the length of random data it's asked to generate. This is unlikely to happen with typical usage, but could be a risk if your application passes untrusted input to this module. To stay safe, update to version 0.010 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| leont | crypt\ | \ | – |
Original title
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes().
The function does not validate that the length parameter is non-negat...
Original description
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes().
The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
nvd CVSS3.1
7.5
Vulnerability type
CWE-122
Heap-based Buffer Overflow
CWE-1284
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026