Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers.
The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three.
Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.
AnalysisAI
Denial-of-service via stack buffer overflow in CryptX (Perl cryptography module) versions before 0.088_001 affects four AEAD decryption helpers that copy attacker-controlled authentication tags into a fixed 144-byte stack buffer without bounds checking. Remote attackers can crash any Perl application that passes untrusted tags to gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, or eax_decrypt_verify, resulting in process termination. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 13th percentile) reflects low expected exploitation activity despite the network attack vector.
Technical ContextAI
CryptX is a widely used Perl module by Karel Miko (MIK on CPAN) providing a unified XS interface to the LibTomCrypt C library for cryptographic primitives including AEAD ciphers. The vulnerability is a classic CWE-121 stack-based buffer overflow located in the XS glue code (CryptX_AuthEnc_GCM.xs.inc and three companion files), where the XS routines declared a fixed-size stack array of MAXBLOCKSIZE (144 bytes) to hold the authentication tag, then used the Copy() macro to memcpy the SV-derived caller buffer of length t_len into it without comparing t_len to sizeof(tag). The patch (commits 57e69e5 and 7e56347) adds a clamp so that tag_len is min(t_len, sizeof(tag)) before copying. The affected CPE is cpe:2.3:a:mik:cryptx and the issue impacts any of the four AEAD modes (GCM, CCM, ChaCha20-Poly1305, EAX) exposed by the module.
RemediationAI
Vendor-released patch: upgrade CryptX to 0.088_001 or later from CPAN (https://metacpan.org/release/MIK/CryptX-0.088_001); note that 0.088 is insufficient because it only clamps GCM and leaves CCM, ChaCha20-Poly1305, and EAX vulnerable, per upstream commits 57e69e541b0718ca8724c2f61514322a2d859bc1 and 7e56347d420aaf43b2ee1586f4a230492ccf1642 in DCIT/perl-CryptX. If immediate upgrade is impossible, audit calling code to enforce a maximum tag length of 16 bytes (or the actual cipher's standard tag size: 16 for GCM/CCM/ChaCha20-Poly1305/EAX) before invoking the affected helpers - this works because no legitimate AEAD construction produces tags larger than the 144-byte stack buffer, but it requires a code change in every consumer and will not protect callers you do not control. Distribution-level mitigation is to repackage Perl applications with the patched CryptX; see also the oss-security disclosure thread at http://www.openwall.com/lists/oss-security/2026/05/28/10 for community discussion.
PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys thro
Non-constant-time AEAD authentication tag comparison in CryptX before 0.088_001 for Perl exposes a timing oracle in the
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32906
GHSA-4p3p-7392-hjw4