Skip to main content

Bytes::Random::Secure CVE-2026-11625

| EUVDEUVD-2026-39640 HIGH
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (CWE-335)
2026-06-26 CPANSec GHSA-r57w-h3mc-4jrv
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Predictable secrets can be exploited remotely (AV:N) but only when the app uses the pre-fork/functional pattern and the attacker correlates streams, raising complexity (AC:H); high confidentiality impact, no integrity/availability effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 26, 2026 - 17:26 vuln.today
Analysis Generated
Jun 26, 2026 - 17:26 vuln.today
CVSS changed
Jun 26, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
Jun 26, 2026 - 08:07 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.

When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.

Secrets generated in multiprocess applications are predictable across processes.

AnalysisAI

Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify forking Perl app using shared PRNG state
Delivery
Obtain one issued secret from a worker
Exploit
Predict identical stream in sibling processes
Execution
Forge tokens or session identifiers
Impact
Hijack sessions or impersonate users

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim application uses Bytes::Random::Secure in one of two specific patterns: an OO generator object instantiated BEFORE the process calls fork(), or the module's functional/procedural interface used across forked processes - in either case the seeded PRNG state is copied into children and never re-seeded. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and worth reconciling. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A preforking Perl web application initializes a Bytes::Random::Secure generator at startup, then forks multiple worker processes that each issue session tokens or password-reset values from the shared, identical PRNG state. An attacker who obtains a token from one worker can predict the tokens emitted by sibling workers, hijacking other users' sessions or forging reset links. …
Remediation Apply the upstream fix that adds fork/PID detection so the RNG is re-seeded in each child process; the patch is published at https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch and corresponds to pull request https://github.com/daoswald/Bytes-Random-Secure/pull/4 - upgrade to the patched release once it is published to CPAN (a fix is available per vendor advisory, though a specific tagged release version is not stated in the provided data, so verify the fixed version on MetaCPAN before pinning). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems using Bytes::Random::Secure and determine whether affected applications fork processes after instantiating the generator. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-11625 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy