CVE-2026-30910

High

Published: 08 March 2026

Published

08 March 2026

Modified

10 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0001 1.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30910 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Iamb Crypt\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Integer overflow enables remote network exploitation of public-facing apps using the library (T1190) to trigger crashes/buffer overflows for endpoint DoS (T1499.004); large input requirements limit practicality and no C/I impact is indicated.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output…

buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow. Encountering this issue is unlikely as the message length would need to be very large. For bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U

Deeper analysisAI

CVE-2026-30910 is an integer overflow vulnerability (CWE-190) in Crypt::Sodium::XS versions through 0.001000 for Perl. It affects the combined AEAD encryption, combined signature creation, and bin2hex functions, which do not verify that the computed output size is less than SIZE_MAX. This omission can trigger integer wraparound, resulting in an undersized output buffer allocation. For bin2hex and encryption algorithms other than aes256gcm, this leads to crashes; for aes256gcm encryption and signatures, it may cause buffer overflows.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network by unauthenticated attackers with low complexity and no user interaction. Attackers must supply extremely large inputs—such as exceeding SIZE_MAX / 2 for bin2hex, SIZE_MAX - 32U for Aegis encryption, SIZE_MAX - 16U for other encryptions, or SIZE_MAX - 64U for signatures—to trigger the issue, which the description notes is unlikely. Exploitation results in denial-of-service via application crashes or buffer overflows, with no impact on confidentiality or integrity.

Advisories point to mitigation via an updated release. The changes for Crypt::Sodium::XS version 0.001001, available at https://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changes, address the issue. Further discussion appears on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/08/2. Practitioners should upgrade affected installations to version 0.001001 or later to add the necessary output size checks.