CVE-2026-2474
Published: 16 February 2026
Summary
CVE-2026-2474 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ddick Crypt\. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-2474 is a heap buffer overflow vulnerability in the XS function crypt_urandom_getrandom() within the Perl module Crypt::URandom, affecting versions from 0.41 up to but not including 0.55. The function does not validate that the supplied length parameter is non-negative. When a negative value such as -1 is provided, the expression length + 1u triggers an integer wraparound, resulting in a zero-byte buffer allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative length, which is implicitly converted to a large unsigned value (typically SIZE_MAX), enabling writes beyond the allocated buffer boundaries. This leads to heap memory corruption and application crashes, corresponding to CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Wrap-around Error).
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable remotely with low attack complexity, no privileges or user interaction required. Any attacker able to control the length parameter—possible in applications that pass untrusted input to the function—can trigger the issue. However, in common usage, the length is typically hardcoded by the caller, which reduces the likelihood of practical exploitation. Successful attacks result in denial of service through application crashes, with no impact on confidentiality or integrity.
References point to the vulnerable source code in Crypt::URandom version 0.54 (URandom.xs lines 35-79) and the Changes file in the fixed version 0.55. Mitigation requires upgrading to Crypt::URandom version 0.55 or later, which presumably adds the necessary validation for non-negative length values.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7825
Vulnerability details
Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the…
more
expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow with negative length input causes remote application crashes (DoS) when untrusted length reaches the vulnerable function; directly maps to application/system exploitation for availability impact.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws such as the heap buffer overflow in Crypt::URandom by upgrading to version 0.55 or later.
Implements memory protection mechanisms that mitigate heap buffer overflows and resulting memory corruption from integer wraparound.
Mandates validation of inputs like the length parameter to prevent negative values causing wraparound and buffer overflows in library functions.