CVE-2026-5086

High

Published: 13 April 2026

Published

13 April 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 2.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5086 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Nerdvana Crypt\. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identification, reporting, and correction of the specific timing attack flaw in Crypt::SecretBuffer versions before 0.019 via patching to version 0.019.

SC-13 Cryptographic Protection partial match

prevent

Mandates cryptographic mechanisms that protect against unauthorized disclosure of secrets, addressing timing discrepancies that leak password information during comparisons.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates detection of the vulnerable Crypt::SecretBuffer library through regular vulnerability scanning, enabling timely remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

Remote network-accessible timing attack on password comparison in Perl module enables exploitation of public-facing apps (T1190) to facilitate password guessing (T1110.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.

Deeper analysisAI

CVE-2026-5086 is a vulnerability in Crypt::SecretBuffer versions before 0.019 for Perl, making it susceptible to timing attacks (CWE-208). The issue arises when the module is used for operations like storing and comparing plaintext passwords, where differences in execution timing could leak information about the secret.

Remote attackers can exploit this vulnerability with network access, low attack complexity, no privileges, and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation enables high-impact confidentiality breaches, such as guessing passwords through observed timing discrepancies during comparisons.

The patch in Crypt::SecretBuffer version 0.019 addresses the timing attack vulnerability, with details documented in the module's Changes file available at https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes. Additional information on the issue and remediation appears in the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/13/12.