CVE-2026-57080

Name of the Vulnerable Software and Affected Versions Net::BitTorrent versions prior to 2.0.2

Description Remote memory exhaustion is possible due to an uncapped peer-wire message-length prefix. The peer-wire framing in the process messages() function trusts the 4-byte length prefix sent by a connected peer without an upper bound, while receive data() appends every inbound byte to the input buffer. An unauthenticated peer can announce a length prefix of up to approximately 4 GiB and stream bytes, causing the buffer to grow without limit as the decoder waits for the full message. Since the largest legitimate message is a 16 KiB piece block, any length significantly exceeding this is anomalous.

Recommendations Update Net::BitTorrent to version 2.0.2 or later.