CVE-2026-2597
Published: 27 February 2026
Summary
CVE-2026-2597 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Leont Crypt\. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2597 affects Crypt::SysRandom::XS versions before 0.010 for Perl, specifically a heap buffer overflow vulnerability in the XS function random_bytes(). The function fails to validate that the length parameter is non-negative. Supplying a negative value, such as -1, triggers an integer wraparound in the expression length + 1u, resulting in a zero-byte allocation. The subsequent call to a random function like getrandom passes the original negative value, which converts to a large unsigned value (typically SIZE_MAX), enabling writes beyond the allocated buffer and causing heap memory corruption and application crashes.
Attackers can exploit this remotely with low complexity, requiring no privileges or user interaction, leading to denial of service via application crashes, as indicated by the CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation hinges on supplying a negative length parameter, which is unlikely in common usage where lengths are hardcoded by callers. However, applications passing untrusted input to this parameter are vulnerable to heap corruption.
References point to the module's changes file on MetaCPAN and the source code in version 0.011, indicating mitigation through upgrading to Crypt::SysRandom::XS version 0.010 or later, where the validation issue is addressed. The vulnerability maps to CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Wrap-around Error).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8939
Vulnerability details
Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length…
more
+ 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote heap buffer overflow in library function directly enables application crashes via untrusted negative length input, matching Endpoint DoS via Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely identification, testing, and deployment of patches for vulnerable software like Crypt::SysRandom::XS versions before 0.010, directly eliminating the heap buffer overflow.
Information input validation ensures length parameters passed to functions like random_bytes() are checked for non-negative values, preventing integer wraparound and buffer overflows from untrusted inputs.
Memory protection implements safeguards like address space layout randomization and heap canaries to mitigate unauthorized writes from heap buffer overflows even if validation fails.