FKIE_CVE-2026-30910

Vulnerability from fkie_nvd - Published: 2026-03-08 02:16 - Updated: 2026-03-10 18:18
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow. Encountering this issue is unlikely as the message length would need to be very large. For bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U
References
9b29abf9-4ab0-4765-b253-1875cd9b441ehttps://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changesRelease Notes
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/03/08/2Mailing List, Third Party Advisory
Impacted products
Vendor Product Version
iamb crypt\ \
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:iamb:crypt\\:\\:sodium\\:\\:xs:*:*:*:*:*:perl:*:*",
              "matchCriteriaId": "36F9F8AC-0EDB-4FA5-9E11-1F85AC15D3E8",
              "versionEndIncluding": "0.001001",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows.\n\nCombined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow.\n\nEncountering this issue is unlikely as the message length would need to be very large.\n\nFor bin2hex the input size would have to be \u003e SIZE_MAX / 2 For aegis encryption the input size would need to be \u003e SIZE_MAX - 32U For other encryption the input size would need to be \u003e SIZE_MAX - 16U For signatures the input size would need to be \u003e SIZE_MAX - 64U"
    },
    {
      "lang": "es",
      "value": "Las versiones de Crypt::Sodium::XS hasta la 0.001000 para Perl tienen posibles desbordamientos de enteros.\n\nEl cifrado AEAD combinado, la creaci\u00f3n de firmas combinada y las funciones bin2hex no verifican que el tama\u00f1o de salida sea menor que SIZE_MAX, lo que podr\u00eda llevar a un \u0027integer wraparound\u0027 causando un b\u00fafer de salida de tama\u00f1o insuficiente. Esto puede causar un fallo en bin2hex y en algoritmos de cifrado distintos de aes256gcm. Para el cifrado aes256gcm y las firmas, un b\u00fafer de tama\u00f1o insuficiente podr\u00eda llevar a un desbordamiento de b\u00fafer.\n\nEs poco probable encontrar este problema, ya que la longitud del mensaje tendr\u00eda que ser muy grande.\n\nPara bin2hex, el tama\u00f1o de entrada tendr\u00eda que ser \u0026gt; SIZE_MAX / 2\nPara el cifrado aegis, el tama\u00f1o de entrada tendr\u00eda que ser \u0026gt; SIZE_MAX - 32U\nPara otros cifrados, el tama\u00f1o de entrada tendr\u00eda que ser \u0026gt; SIZE_MAX - 16U\nPara las firmas, el tama\u00f1o de entrada tendr\u00eda que ser \u0026gt; SIZE_MAX - 64U"
    }
  ],
  "id": "CVE-2026-30910",
  "lastModified": "2026-03-10T18:18:51.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-08T02:16:00.620",
  "references": [
    {
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "tags": [
        "Release Notes"
      ],
      "url": "https://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changes"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/03/08/2"
    }
  ],
  "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.