Cyber Resilience

CVE-2026-2474

High

Published: 16 February 2026

Published
16 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2474 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ddick Crypt\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-2474 is a heap buffer overflow vulnerability in the XS function crypt_urandom_getrandom() within the Perl module Crypt::URandom, affecting versions from 0.41 up to but not including 0.55. The function does not validate that the supplied length parameter is non-negative. When a negative value such as -1 is provided, the expression length + 1u triggers an integer wraparound, resulting in a zero-byte buffer allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative length, which is implicitly converted to a large unsigned value (typically SIZE_MAX), enabling writes beyond the allocated buffer boundaries. This leads to heap memory corruption and application crashes, corresponding to CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Wrap-around Error).

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable remotely with low attack complexity, no privileges or user interaction required. Any attacker able to control the length parameter—possible in applications that pass untrusted input to the function—can trigger the issue. However, in common usage, the length is typically hardcoded by the caller, which reduces the likelihood of practical exploitation. Successful attacks result in denial of service through application crashes, with no impact on confidentiality or integrity.

References point to the vulnerable source code in Crypt::URandom version 0.54 (URandom.xs lines 35-79) and the Changes file in the fixed version 0.55. Mitigation requires upgrading to Crypt::URandom version 0.55 or later, which presumably adds the necessary validation for non-negative length values.

EU & UK References

Vulnerability details

Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the…

more

expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow with negative length input causes remote application crashes (DoS) when untrusted length reaches the vulnerable function; directly maps to application/system exploitation for availability impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2597Shared CWE-122, CWE-1284
CVE-2025-32990Shared CWE-122
CVE-2025-12664Shared CWE-1284
CVE-2025-65548Shared CWE-1284
CVE-2026-28842Shared CWE-122
CVE-2025-0755Shared CWE-122
CVE-2021-47827Shared CWE-1284
CVE-2026-30931Shared CWE-122
CVE-2025-14511Shared CWE-1284
CVE-2026-30999Shared CWE-122

Affected Assets

ddick
crypt\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of flaws such as the heap buffer overflow in Crypt::URandom by upgrading to version 0.55 or later.

prevent

Implements memory protection mechanisms that mitigate heap buffer overflows and resulting memory corruption from integer wraparound.

prevent

Mandates validation of inputs like the length parameter to prevent negative values causing wraparound and buffer overflows in library functions.

References