CVE-2026-57081
Received Received - Intake

Memory Exhaustion in Net::BitTorrent via Bencoded Input

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: CPANSec

Description
Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecode recurses once per nested list or dictionary level with no depth cap, and each recursive call receives the remaining buffer by value while the list and dictionary branches capture the whole remainder, so every live recursion frame keeps its own copy of the shrinking buffer (O(N^2) bytes for an N-deep input). The decoder runs on every untrusted bencode source: .torrent files, BEP09 metadata fetched from peers, DHT messages, and tracker responses. A bencoded input of roughly 150,000 nested lists (about 150 KB on the wire) drives multi-gigabyte peak memory, so one short message from any peer, or one crafted .torrent file or magnet link, terminates the client.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-57081
EUVD
EUVD-2026-40290

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sanko net_bittorrent to 2.0.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Net::BitTorrent Perl module affects its bencode decoder, which processes nested bencoded data without limiting recursion depth.

The bdecode function recursively processes each nested list or dictionary level, copying the remaining input buffer at every recursion. This causes memory usage to grow quadratically (O(N^2)) with the depth of nesting.

An attacker can craft deeply nested bencoded input (e.g., about 150,000 nested lists) that causes the decoder to consume multi-gigabytes of memory, leading to memory exhaustion and crashing the client.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by exhausting system memory when processing deeply nested bencoded input.

An attacker can remotely send a crafted message, .torrent file, or magnet link that triggers excessive memory consumption, causing the client to crash or terminate unexpectedly.

This can disrupt service availability and potentially impact any system relying on the vulnerable Net::BitTorrent module for processing untrusted bencoded data.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high memory usage or crashes of the Net::BitTorrent client when processing bencoded data from untrusted sources such as .torrent files, BEP09 metadata, DHT messages, or tracker responses.

Since the issue arises from deeply nested bencoded input causing excessive recursion and memory exhaustion, detection can involve analyzing incoming bencoded data for excessive nesting depth.

Specific commands are not provided in the resources, but general approaches include:

  • Using memory monitoring tools (e.g., top, htop) to observe the Net::BitTorrent process for spikes in memory usage.
  • Capturing and inspecting network traffic for suspiciously large or deeply nested bencoded messages using tools like tcpdump or Wireshark.
  • Implementing or using scripts to parse bencoded data and count nesting levels to identify potentially malicious inputs.
Mitigation Strategies

Immediate mitigation steps include limiting the nesting depth of bencoded input processed by the Net::BitTorrent client.

Specifically, rejecting or capping input beyond approximately 100 nested levels can prevent the excessive memory consumption caused by deeply nested bencoded data.

Alternatively, using an iterative decoder implementation that does not copy the buffer on each recursion can mitigate the memory amplification issue.

Since no patch has been released yet for versions up to 2.0.1, these mitigations should be applied as configuration or code changes where possible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart