CVE-2026-2588
Integer Overflow in Crypt::NaCl::Sodium on 32-bit Systems
Publication date: 2026-02-23
Last updated on: 2026-03-04
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| timlegge | crypt | to 2.001 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to an integer overflow flaw in the Crypt::NaCl::Sodium Perl module on 32-bit systems, specifically in the Sodium.xs file handling length parameters for cryptographic functions.
Detection would involve identifying if your system is running Crypt::NaCl::Sodium version 2.001 or earlier on a 32-bit architecture.
Since this is a code-level vulnerability in a Perl XS binding, direct network detection commands are not applicable.
To check the installed version of Crypt::NaCl::Sodium on your system, you can run the following Perl command:
- perl -MCrypt::NaCl::Sodium -e 'print $Crypt::NaCl::Sodium::VERSION, "\n";'
To determine if your system is 32-bit, you can use:
- uname -m
If the output indicates a 32-bit architecture (e.g., i386, i686), and the module version is 2.001 or earlier, your system is potentially vulnerable.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating the Crypt::NaCl::Sodium Perl module to a version that includes the patches addressing CVE-2026-2588.
The patches fix the integer overflow by properly handling length variables as unsigned long long and adding checks to prevent size_t overflow during cryptographic operations.
Steps to mitigate:
- Upgrade Crypt::NaCl::Sodium to a version that includes the fixes from the patches (post-2.001).
- If upgrading is not immediately possible, review and apply the patches from the official repository to your Sodium.xs file.
- Avoid running the vulnerable module on 32-bit systems until patched.
- Test cryptographic functions after patching to ensure correct behavior and no integer overflow occurs.
Can you explain this vulnerability to me?
CVE-2026-2588 is an integer overflow flaw in Crypt::NaCl::Sodium versions through 2.001 for Perl that affects 32-bit systems. The issue arises because the Sodium.xs file casts a length pointer of type STRLEN (typically 32-bit on these systems) to an unsigned long long pointer (at least 64-bit), which can cause incorrect length handling during cryptographic operations.
This improper casting can lead to truncation or misinterpretation of length values returned by libsodium cryptographic functions, potentially causing buffer overflows or memory corruption.
Patches for this vulnerability fix the problem by using properly declared unsigned long long variables to store output lengths and adding checks to ensure these lengths do not exceed system memory limits before casting back to STRLEN.
How can this vulnerability impact me? :
This vulnerability can lead to unsafe handling of buffer lengths during encryption, decryption, signing, and verification operations in the Crypt::NaCl::Sodium Perl module on 32-bit systems.
If exploited, it may cause integer overflow resulting in buffer overflows or memory corruption, which could compromise the integrity and security of cryptographic operations.
Such memory corruption could potentially be leveraged by attackers to execute arbitrary code, cause application crashes, or leak sensitive cryptographic material.