CVE-2026-30909

Name of the Vulnerable Software and Affected Versions Crypt::NaCl::Sodium versions through 2.002

Description The Crypt::NaCl::Sodium library for Perl versions through 2.002 may experience integer overflows in the bin2hex, encrypt, aes256gcm encrypt afternm, and seal functions. These functions do not verify that the output size remains within the bounds of SIZE MAX, potentially leading to integer wraparound and an undersized output buffer. The occurrence of this issue is unlikely, requiring exceptionally large message lengths. Specifically, for bin2hex() the input length (bin len) would need to exceed SIZE MAX / 2. For encrypt() the message length (msg len) would need to exceed SIZE MAX - 16U. For aes256gcm encrypt afternm() the message length (msg len) would need to exceed SIZE MAX - 16U. For seal() the encrypted length (enc len) would need to exceed SIZE MAX - 64U.

Recommendations Versions prior to 2.003 should be used.