CVE-2026-2597

Name of the Vulnerable Software and Affected Versions Crypt::SysRandom::XS versions prior to 0.010

Description The software contains a flaw in the random bytes() function where it does not properly validate the input length parameter. Supplying a negative value for length can lead to an integer wraparound, resulting in a zero-byte allocation. The subsequent call to a random function then uses the original negative value, which is converted to a large unsigned value. This can cause writes beyond the allocated buffer, leading to heap memory corruption and a potential denial of service. Applications that pass untrusted input to this parameter are most at risk.

Recommendations Update to Crypt::SysRandom::XS version 0.010 or later.