Cyber Resilience

CVE-2026-2597

High

Published: 27 February 2026

Published
27 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 19.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2597 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Leont Crypt\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2597 affects Crypt::SysRandom::XS versions before 0.010 for Perl, specifically a heap buffer overflow vulnerability in the XS function random_bytes(). The function fails to validate that the length parameter is non-negative. Supplying a negative value, such as -1, triggers an integer wraparound in the expression length + 1u, resulting in a zero-byte allocation. The subsequent call to a random function like getrandom passes the original negative value, which converts to a large unsigned value (typically SIZE_MAX), enabling writes beyond the allocated buffer and causing heap memory corruption and application crashes.

Attackers can exploit this remotely with low complexity, requiring no privileges or user interaction, leading to denial of service via application crashes, as indicated by the CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Exploitation hinges on supplying a negative length parameter, which is unlikely in common usage where lengths are hardcoded by callers. However, applications passing untrusted input to this parameter are vulnerable to heap corruption.

References point to the module's changes file on MetaCPAN and the source code in version 0.011, indicating mitigation through upgrading to Crypt::SysRandom::XS version 0.010 or later, where the validation issue is addressed. The vulnerability maps to CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Wrap-around Error).

EU & UK References

Vulnerability details

Crypt::SysRandom::XS versions before 0.010 for Perl is vulnerable to a heap buffer overflow in the XS function random_bytes(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length…

more

+ 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to chosen random function (e.g. getrandom) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote heap buffer overflow in library function directly enables application crashes via untrusted negative length input, matching Endpoint DoS via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2474Shared CWE-122, CWE-1284
CVE-2025-32990Shared CWE-122
CVE-2025-12664Shared CWE-1284
CVE-2025-65548Shared CWE-1284
CVE-2026-28842Shared CWE-122
CVE-2025-0755Shared CWE-122
CVE-2021-47827Shared CWE-1284
CVE-2026-30931Shared CWE-122
CVE-2025-14511Shared CWE-1284
CVE-2026-30999Shared CWE-122

Affected Assets

leont
crypt\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires timely identification, testing, and deployment of patches for vulnerable software like Crypt::SysRandom::XS versions before 0.010, directly eliminating the heap buffer overflow.

prevent

Information input validation ensures length parameters passed to functions like random_bytes() are checked for non-negative values, preventing integer wraparound and buffer overflows from untrusted inputs.

prevent

Memory protection implements safeguards like address space layout randomization and heap canaries to mitigate unauthorized writes from heap buffer overflows even if validation fails.

References