CVE-2026-5085
Published: 13 April 2026
Summary
CVE-2026-5085 is a critical-severity PRNG (CWE-338) vulnerability in Mcrawfor Solstice\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires protection of communications session authenticity, directly countering predictable session IDs from low-entropy sources like epoch time, weak rand(), and PID that enable hijacking.
SI-2 mandates identification, reporting, and correction of flaws such as the insecure _generateSessionID method in Solstice::Session using insufficient entropy inputs.
AC-12 enforces automatic session termination after defined conditions, limiting the time window for attackers to exploit predicted session IDs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in weak session ID generation (predictable via low-entropy seeds) in a Perl web session module enables remote attackers to exploit the public-facing application (T1190) and hijack sessions by using predicted web session cookies as alternate authentication material (T1550.004).
NVD Description
Solstice::Session versions through 1440 for Perl generates session ids insecurely. The _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id. The same method…
more
is used in the _generateID method in Solstice::Subsession, which is part of the same distribution. The epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers. Predictable session ids could allow an attacker to gain access to systems.
Deeper analysisAI
CVE-2026-5085 affects Solstice::Session versions through 1440 for Perl, where the _generateSessionID method insecurely generates session IDs as an MD5 digest seeded by low-entropy inputs: the epoch time, a random hash reference, the built-in rand() function, and the process ID. The same flawed method appears in the _generateID method of Solstice::Subsession, part of the same distribution. These inputs are predictable—epoch time can be guessed unless leaked via the HTTP Date header, stringified hash references contain foreseeable content, rand() uses only a 16-bit seed unsuitable for security, and process IDs draw from a limited range—leading to session IDs that lack sufficient randomness.
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity, as indicated by the CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N). By predicting session IDs (CWE-338: predictable values; CWE-340: generation with insufficient entropy), they can hijack active sessions and gain unauthorized access to affected systems.
Advisories, including the OSS-security mailing list disclosure and MetaCPAN's security guide on random data, highlight the need for cryptographically secure randomness in session generation, pointing to the vulnerable source code in Solstice::Session.pm and Solstice::Subsession.pm. No patches are detailed in the provided references.
Details
- CWE(s)