CVE-2026-57080
Received Received - Intake

Memory Exhaustion in Net::BitTorrent Perl Module

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CPANSec

Description
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-57080
EUVD
EUVD-2026-40289

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sanko net_bittorrent to 2.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

The immediate mitigation step is to enforce a maximum allowed message length for peer-wire messages, ideally around 1 MiB, and disconnect any peer that sends a length prefix exceeding this threshold.

If you are using a vulnerable version of Net::BitTorrent (up to 2.0.1), update to a fixed version that includes this check.

In the meantime, consider applying network-level controls such as firewall rules to limit or block suspicious peers or traffic patterns that exhibit unusually large message lengths.

Executive Summary

CVE-2026-57080 is a vulnerability in the Net::BitTorrent Perl module (versions up to 2.0.1) where the software improperly handles the peer-wire message length prefix. The module trusts a 4-byte length value sent by a connected peer without any upper bound.

Because the client waits until the buffer contains the full message before processing it, and continues appending incoming data without limit, a malicious peer can send a very large length prefix (up to about 4 GiB) and stream data indefinitely. This causes the buffer to grow without limit, leading to remote memory exhaustion.

Since peer connections are unauthenticated, any peer in the swarm can exploit this by sending an anomalously large length prefix, causing the client to consume all available memory and potentially crash.

Impact Analysis

This vulnerability can lead to a remote denial-of-service (DoS) condition by exhausting the memory of the system running the Net::BitTorrent client.

A malicious peer can cause the client to allocate unbounded memory, eventually triggering the operating system's out-of-memory (OOM) killer to terminate the process.

This can disrupt downloading processes, degrade system performance, and potentially cause service outages or crashes.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large peer-wire message length prefixes in the network traffic or application logs. Since legitimate BitTorrent messages are typically under 1 MiB, any message length prefix significantly exceeding this size is anomalous and indicative of an attack attempt.

You can use network packet inspection tools like tcpdump or Wireshark to capture and analyze BitTorrent peer-wire protocol messages, looking specifically for length prefixes larger than 1 MiB.

  • Use tcpdump to capture traffic on the BitTorrent port (e.g., 6881): tcpdump -i <interface> port 6881 -w capture.pcap
  • Open the capture in Wireshark and filter for BitTorrent peer-wire messages, then inspect the 4-byte length prefix fields for values exceeding 1 MiB.

Additionally, monitoring the memory usage of the Net::BitTorrent process can help detect abnormal memory growth caused by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57080. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart