CVE-2026-2474

Name of the Vulnerable Software and Affected Versions Crypt::URandom versions 0.41 through 0.55

Description The Perl module Crypt::URandom is susceptible to a heap buffer overflow within the crypt urandom getrandom() function. The issue arises because the function does not properly validate the length parameter, allowing a negative value to be supplied. This leads to an integer wraparound during memory allocation, resulting in a zero-byte allocation followed by a call to getrandom() with a large, unsigned value. This can cause writes beyond the allocated buffer, leading to heap memory corruption and a denial of service. Applications that pass untrusted input to this parameter may be particularly vulnerable.

Recommendations Update Crypt::URandom to a version newer than 0.55.