Skip to main content

Net::BitTorrent CVE-2026-57080

| EUVDEUVD-2026-40289 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-30 CPANSec GHSA-h9mr-rh28-v9r2
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated remote peer (AV:N/PR:N/UI:N) trivially triggers unbounded buffering (AC:L) for an availability-only memory-exhaustion DoS (C:N/I:N/A:H), no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 30, 2026 - 14:23 vuln.today
CVSS changed
Jun 30, 2026 - 14:22 NVD
7.5 (HIGH)
CVE Published
Jun 30, 2026 - 11:04 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.

The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.

Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

AnalysisAI

Remote memory exhaustion in the Net::BitTorrent Perl module (all versions through 2.0.1) lets any unauthenticated peer in a torrent swarm crash the downloading process by abusing the peer-wire protocol's length-prefix framing. Because the decoder buffers an entire announced message before processing and trusts an attacker-supplied length prefix of up to ~4 GiB, a single malicious peer can drive the victim's memory toward exhaustion. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Join victim's torrent swarm as peer
Delivery
Complete peer-wire handshake
Exploit
Announce ~4 GiB message length prefix
Execution
Stream bytes filling input buffer
Impact
Exhaust process memory (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the victim is running Net::BitTorrent (≤2.0.1) and is connected to the attacker as a peer in a swarm - peer connections are unauthenticated, so any peer the victim connects to or accepts can trigger it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H = 7.5 HIGH) is internally consistent with the description: network reachable, low complexity, no privileges, no user interaction, and an availability-only impact - there is no confidentiality or integrity exposure, only denial of service via memory exhaustion. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker joins the target's torrent swarm as an ordinary unauthenticated peer, completes the handshake, and sends a peer-wire message header announcing a length prefix near 4 GiB, then slowly streams bytes. The victim's Net::BitTorrent process buffers all incoming bytes while waiting for the full message, consuming memory until it is exhausted and the process crashes or the host degrades. …
Remediation No vendor-released patched version is identified in the available data; the only fix reference is the GitHub Security Advisory GHSA-7jr6-2jf4-6qc4 (https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-7jr6-2jf4-6qc4), so consult it for the fixed release and upgrade beyond 2.0.1 once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Net::BitTorrent Perl module version 2.0.1 or earlier and categorize by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Net

View all
CVE-2026-33811 HIGH POC
7.5 May 07

Memory corruption in Go's net library (versions <1.25.10 and 1.26.0-1.26.2) leads to application crash when parsing mali

CVE-2026-45491 MEDIUM POC
5.5 Jun 09

Local file tampering via symlink/junction following in Microsoft .NET runtimes 8.0, 9.0, and 10.0 allows a local unauthe

CVE-2024-57854 CRITICAL
9.1 Mar 05

Weak PRNG in Net::NSCA::Client through 0.009002 for Perl. Patch available.

CVE-2026-11373 CRITICAL
9.1 Jun 22

Metric injection in the Perl module Net::Statsite::Client through version 1.1.0 allows attackers controlling metric name

CVE-2026-45591 HIGH
7.5 Jun 09

Remote denial of service in ASP.NET Core enables unauthenticated network attackers to exhaust server resources and disru

CVE-2026-45490 HIGH
7.8 Jun 09

Local privilege escalation in Microsoft .NET allows an authenticated low-privileged user to elevate to higher privileges

CVE-2025-26646 HIGH
8.0 May 13

External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized att

CVE-2026-49941 HIGH
7.5 Jun 04

Denial of service in the Perl module Net::CIDR::Set through version 0.20 allows remote unauthenticated attackers to trig

CVE-2026-40198 HIGH
7.5 Apr 10

IPv6 address validation bypass in Net::CIDR::Lite for Perl (versions <0.23) allows remote attackers to circumvent IP acc

CVE-2026-57081 HIGH
7.5 Jun 30

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via deeply nested bencoded input. bdecod

CVE-2026-45190 MEDIUM
6.5 May 10

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing att

CVE-2026-8722 MEDIUM
6.5 Jun 03

Metric name injection in Net::Async::Statsd::Client (Perl, versions through 0.005) allows network-reachable, unauthentic

Share

CVE-2026-57080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy