CVE-2026-11702
Deferred
Deferred - Pending Action
Predictable PRNG in Bytes::Random::Secure::Tiny
Vulnerability report for CVE-2026-11702, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-26
Last updated on: 2026-07-01
Assigner: CPANSec
Description
Description
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.
When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| daoswald | bytes_random_secure_tiny | 1.011 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-335 | The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds. |