Bytes
Monthly
Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. Reported by CPANSec with an upstream fix; EPSS is low (0.16%, 5th percentile) and there is no public exploit identified at time of analysis.
Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. No public exploit is identified at time of analysis, and EPSS is low (0.16%, 6th percentile); CPANSec reported it and an upstream fix is available.
Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.
Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. Reported by CPANSec with an upstream fix; EPSS is low (0.16%, 5th percentile) and there is no public exploit identified at time of analysis.
Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. No public exploit is identified at time of analysis, and EPSS is low (0.16%, 6th percentile); CPANSec reported it and an upstream fix is available.
Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.