CVE-2026-41564

Name of the Vulnerable Software and Affected Versions CryptX versions prior to 0.088

Description CryptX for Perl fails to reseed the Crypt::PK Pseudo-Random Number Generator (PRNG) state after a fork operation. The modules Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519, and Crypt::PK::X25519 seed a per-object PRNG state during construction and reuse it without detecting forks. Consequently, any Crypt::PK::* object created before fork() shares an identical PRNG state across all child processes. This can lead to identical outputs for randomized operations, including key generation. Specifically, two ECDSA or DSA signatures from different processes can allow the recovery of the signing private key through nonce-reuse key recovery. This issue impacts preforking services, such as the Starman web server, where objects loaded at startup are inherited by worker processes.

Recommendations Update to version 0.088 or later.