Cyber Resilience

CVE-2026-30910

High

Published: 08 March 2026

Published
08 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0001 2.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30910 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Iamb Crypt\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30910 is an integer overflow vulnerability (CWE-190) in Crypt::Sodium::XS versions through 0.001000 for Perl. It affects the combined AEAD encryption, combined signature creation, and bin2hex functions, which do not verify that the computed output size is less than SIZE_MAX. This omission can trigger integer wraparound, resulting in an undersized output buffer allocation. For bin2hex and encryption algorithms other than aes256gcm, this leads to crashes; for aes256gcm encryption and signatures, it may cause buffer overflows.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network by unauthenticated attackers with low complexity and no user interaction. Attackers must supply extremely large inputs—such as exceeding SIZE_MAX / 2 for bin2hex, SIZE_MAX - 32U for Aegis encryption, SIZE_MAX - 16U for other encryptions, or SIZE_MAX - 64U for signatures—to trigger the issue, which the description notes is unlikely. Exploitation results in denial-of-service via application crashes or buffer overflows, with no impact on confidentiality or integrity.

Advisories point to mitigation via an updated release. The changes for Crypt::Sodium::XS version 0.001001, available at https://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changes, address the issue. Further discussion appears on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/03/08/2. Practitioners should upgrade affected installations to version 0.001001 or later to add the necessary output size checks.

EU & UK References

Vulnerability details

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output…

more

buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow. Encountering this issue is unlikely as the message length would need to be very large. For bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow enables remote network exploitation of public-facing apps using the library (T1190) to trigger crashes/buffer overflows for endpoint DoS (T1499.004); large input requirements limit practicality and no C/I impact is indicated.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-15444Same product: Iamb Crypt\
CVE-2026-37555Shared CWE-190
CVE-2026-23833Shared CWE-190
CVE-2026-27889Shared CWE-190
CVE-2026-40046Shared CWE-190
CVE-2026-25970Shared CWE-190
CVE-2026-24214Shared CWE-190
CVE-2026-41605Shared CWE-190
CVE-2026-33900Shared CWE-190
CVE-2026-6664Shared CWE-190

Affected Assets

iamb
crypt\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identifying and installing the patched Crypt::Sodium::XS 0.001001 release that adds the missing SIZE_MAX output-size checks.

detect

Requires continuous vulnerability scanning to discover installations of the affected library versions before an attacker can supply oversized inputs.

detect

Maintains an accurate inventory of software components and versions, enabling rapid location of Crypt::Sodium::XS instances that must be upgraded.

References