CVE-2026-57081

Name of the Vulnerable Software and Affected Versions Net::BitTorrent versions prior to 2.0.2

Description Remote memory exhaustion is possible through the processing of deeply nested bencoded input. The bdecode() function recurses for each nested list or dictionary level without a depth limit. During this process, each recursive call receives the remaining buffer by value, causing every active recursion frame to maintain its own copy of the shrinking buffer, resulting in O(N^2) memory consumption. This issue affects the processing of .torrent files, BEP09 metadata from peers, DHT messages, and tracker responses. For example, a bencoded input containing approximately 150,000 nested lists (roughly 150 KB) can trigger multi-gigabyte peak memory usage, leading to client termination.

Recommendations Update Net::BitTorrent to version 2.0.2 or later.