Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Perl Crypt::URandom versions 0.41-0.54 may crash if given incorrect input
CVE-2026-2474
Summary
A bug in Perl's Crypt::URandom module can cause a crash if the application is given an incorrect length for random data. This issue is most likely to affect applications that pass untrusted input to the affected function. To stay safe, update to version 0.55 or later of Crypt::URandom.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ddick | crypt\ | \ | – |
Original title
Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom().
The function does not validate that the length paramete...
Original description
Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom().
The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service).
In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
nvd CVSS3.1
7.5
Vulnerability type
CWE-122
Heap-based Buffer Overflow
CWE-1284
- https://metacpan.org/release/DDICK/Crypt-URandom-0.54/source/URandom.xs#L35-79 Issue Tracking
- https://metacpan.org/release/DDICK/Crypt-URandom-0.55/source/Changes Release Notes Product
Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026