Skip to main content

Bytes::Random::Secure::Tiny EUVDEUVD-2026-39641

| CVE-2026-11702 HIGH
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (CWE-335)
2026-06-26 CPANSec GHSA-vcwj-3q56-r32w
7.5
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Confidentiality-only predictable secrets; AC:H because exploitation needs the victim's init-before-fork pattern and the attacker must predict the shared stream; no attacker privileges, so PR:N.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 26, 2026 - 17:26 vuln.today
Analysis Generated
Jun 26, 2026 - 17:26 vuln.today
CVSS changed
Jun 26, 2026 - 17:22 NVD
7.5 (HIGH)
CVE Published
Jun 26, 2026 - 08:13 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.

When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.

Secrets generated in multiprocess applications are predictable across processes.

AnalysisAI

Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify preforked Perl app using shared PRNG
Delivery
Request a secret from attacker-controlled session
Exploit
Observe predictable random output
Execution
Reconstruct shared ISAAC stream
Persist
Predict victim worker's secrets
Impact
Hijack session or forge token

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to initialize a Bytes::Random::Secure::Tiny object BEFORE calling fork() and to reuse that single object across child processes - the classic preforking server pattern; applications that create the generator per-process after forking, or that never fork, are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should not be over-weighted by the 7.5/High CVSS alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A preforking Perl web application creates one Bytes::Random::Secure::Tiny generator at startup, then forks N workers that each serve requests; because every worker inherited identical PRNG state, an attacker who obtains the session token issued by their own worker can predict the tokens other workers issue to other users. No public POC is identified, but the prediction is deterministic once the shared seed's output is observed, making session hijacking or secret forgery feasible against a vulnerable deployment.
Remediation Patch available per vendor advisory; an upstream fix exists as PR #7 plus a MetaCPAN security patch (CVE-2026-11702-r1.patch) that adds PID-based fork detection and re-seeds the PRNG when the process forks - apply the patched build once your distribution publishes a fixed release above 1.011 (no fixed version number is independently confirmed in the available data, so verify the release before pinning). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit your Perl applications for use of Bytes::Random::Secure::Tiny (check cpanfile, Makefile.PL, or package manifests). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important

Share

EUVD-2026-39641 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy