CVE-2026-2588
Published: 23 February 2026
Summary
CVE-2026-2588 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Timlegge Crypt\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of identified flaws, directly addressing the integer overflow in Crypt::NaCl::Sodium by requiring patches like commits 557388bdb4da416a56663cda0154b80cd524395c.
Requires vulnerability monitoring and scanning to identify deployments of vulnerable Crypt::NaCl::Sodium versions through 2.001 on 32-bit systems.
Maintains an inventory of system components, enabling location and remediation of systems using the vulnerable Perl module.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the integer overflow in the Perl libsodium binding enables compromise of public-facing applications (T1190) and directly supports application crashes or denial of service via malformed length parameters to cryptographic routines (T1499.004).
NVD Description
Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems. Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an…
more
unsigned long long is at least 64-bits.
Deeper analysisAI
CVE-2026-2588 is an integer overflow vulnerability (CWE-190) affecting Crypt::NaCl::Sodium versions through 2.001 for Perl, specifically on 32-bit systems. The flaw occurs in the Sodium.xs module, where a STRLEN (size_t) value is cast to an unsigned long long when passing a length pointer to libsodium functions. On 32-bit platforms, size_t is typically 32 bits, while unsigned long long is at least 64 bits, enabling the overflow.
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity, as indicated by the CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). Successful exploitation can result in high integrity and availability impacts, potentially leading to crashes, denial of service, or manipulation of cryptographic operations due to incorrect length handling in libsodium calls.
Mitigation involves applying patches from the Crypt::NaCl::Sodium repository, such as commits 557388bdb4da416a56663cda0154b80cd524395c and 8cf7f66ba922443e131c9deae1ee00fafe4f62e4, which address the casting issue in Sodium.xs (e.g., around line 2119 in version 2.001 source). Security practitioners should upgrade to a patched version and verify deployments on 32-bit Perl environments using libsodium.
Details
- CWE(s)