CVE-2026-30909
Received Received - Intake
Integer Overflow in Crypt::NaCl::Sodium Perl Functions Causing Buffer Undersize

Publication date: 2026-03-08

Last updated on: 2026-03-18

Assigner: CPANSec

Description
Crypt::NaCl::Sodium versions through 2.002 for Perl has potential integer overflows. bin2hex, encrypt, aes256gcm_encrypt_afternm and seal functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. Encountering this issue is unlikely as the message length would need to be very large. For bin2hex() the bin_len would have to be > SIZE_MAX / 2 For encrypt() the msg_len would need to be > SIZE_MAX - 16U For aes256gcm_encrypt_afternm() the msg_len would need to be > SIZE_MAX - 16U For seal() the enc_len would need to be > SIZE_MAX - 64U
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30909
EUVD
EUVD-2026-10199
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
timlegge crypt to 2.003 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30909 is an integer overflow vulnerability in the Perl bindings of the libsodium cryptographic library, specifically in Crypt::NaCl::Sodium versions through 2.002.

Certain functions like bin2hex, encrypt, aes256gcm_encrypt_afternm, and seal do not properly check if the output size exceeds the maximum allowed size (SIZE_MAX). This can cause an integer wraparound, leading to an undersized output buffer.

If the output buffer is too small due to this overflow, it could result in memory corruption or crashes during cryptographic operations.

However, encountering this issue is unlikely because it requires processing extremely large message lengths close to system memory limits.

Impact Analysis

This vulnerability can lead to memory corruption or application crashes when performing cryptographic operations using the affected Perl libsodium bindings.

If exploited, it could potentially cause denial of service or unexpected behavior in applications relying on these cryptographic functions.

However, exploitation is difficult because it requires processing very large input sizes that approach system memory limits.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from integer overflow issues in specific Perl functions within Crypt::NaCl::Sodium, which are triggered only with extremely large input sizes. Detection involves verifying if the affected Perl module versions are in use and checking for unusually large input sizes to the vulnerable functions.'}, {'type': 'paragraph', 'content': 'Since the issue is related to integer overflows in functions like bin2hex, encrypt, aes256gcm_encrypt_afternm, and seal, you can detect vulnerable versions by checking the installed Crypt::NaCl::Sodium Perl module version (versions through 2.002 are affected).'}, {'type': 'list_item', 'content': 'Check the installed version of Crypt::NaCl::Sodium with the command: perl -MCrypt::NaCl::Sodium -e \'print $Crypt::NaCl::Sodium::VERSION, "\\n";\''}, {'type': 'list_item', 'content': 'Audit your Perl scripts or applications for usage of the vulnerable functions: bin2hex, encrypt, aes256gcm_encrypt_afternm, and seal.'}, {'type': 'list_item', 'content': 'Monitor application logs or error messages for croak() exceptions indicating size_t overflow errors, such as "Encrypted length exceeds system memory limit (size_t overflow)" or "Binary data provided too large (will cause hex_len > SIZE_MAX)".'}] [1]

Mitigation Strategies

The primary mitigation is to update the Crypt::NaCl::Sodium Perl module to a version that includes the patch addressing this vulnerability.

  • Upgrade Crypt::NaCl::Sodium to a version later than 2.002 where the integer overflow checks have been implemented.
  • Ensure that input sizes to the vulnerable functions (bin2hex, encrypt, aes256gcm_encrypt_afternm, seal) are validated and kept well below the SIZE_MAX limits to avoid triggering integer wraparound.
  • If upgrading immediately is not possible, implement input validation in your application code to reject or limit very large inputs to these functions.

These steps prevent undersized buffer allocations and potential memory corruption or crashes caused by integer overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart