VDB

CVE-2026-2474

CVE-2026-2474 PUBLISHED CVSS 9.300000190734863 CRITICAL

Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom(). The function does not validate that the length parameter is non-negative. If a negative value (e.g. -1) is supplied, the expression length + 1u causes an integer wraparound, resulting in a zero-byte allocation. The subsequent call to getrandom(data, length, GRND_NONBLOCK) passes the original negative value, which is implicitly converted to a large unsigned value (typically SIZE_MAX). This can result in writes beyond the allocated buffer, leading to heap memory corruption and application crash (denial of service). In common usage, the length argument is typically hardcoded by the caller, which reduces the likelihood of attacker-controlled exploitation. Applications that pass untrusted input to this parameter may be affected.

EPSS 0.06% · 19.4th percentile

Risk Scores

CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
0.06%
19.4th percentile

Affected Products

VendorProductVersions
DDICKCrypt::URandom0.41, 0.41
ddickcrypt\0.41, 0.41

Timeline

  • Feb 13, 2026 CVE ID Reserved
  • Feb 16, 2026 CVE Published
  • Feb 17, 2026 EPSS Score
  • Feb 17, 2026 CVE Updated
  • Feb 17, 2026 PoC Published
  • Feb 19, 2026 EPSS Score
  • Feb 21, 2026 EPSS Score
  • Feb 22, 2026 EPSS Score
  • Feb 24, 2026 EPSS Score
  • Feb 26, 2026 EPSS Score
  • Feb 28, 2026 EPSS Score
  • Mar 1, 2026 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›