Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Confidentiality-only predictable secrets; AC:H because exploitation needs the victim's init-before-fork pattern and the attacker must predict the shared stream; no attacker privileges, so PR:N.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes.
When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced.
Secrets generated in multiprocess applications are predictable across processes.
AnalysisAI
Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target application to initialize a Bytes::Random::Secure::Tiny object BEFORE calling fork() and to reuse that single object across child processes - the classic preforking server pattern; applications that create the generator per-process after forking, or that never fork, are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should not be over-weighted by the 7.5/High CVSS alone. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A preforking Perl web application creates one Bytes::Random::Secure::Tiny generator at startup, then forks N workers that each serve requests; because every worker inherited identical PRNG state, an attacker who obtains the session token issued by their own worker can predict the tokens other workers issue to other users. No public POC is identified, but the prediction is deterministic once the shared seed's output is observed, making session hijacking or secret forgery feasible against a vulnerable deployment. |
| Remediation | Patch available per vendor advisory; an upstream fix exists as PR #7 plus a MetaCPAN security patch (CVE-2026-11702-r1.patch) that adds PID-based fork detection and re-seeds the PRNG when the process forks - apply the patched build once your distribution publishes a fixed release above 1.011 (no fixed version number is independently confirmed in the available data, so verify the release before pinning). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit your Perl applications for use of Bytes::Random::Secure::Tiny (check cpanfile, Makefile.PL, or package manifests). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity va
Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39641
GHSA-vcwj-3q56-r32w