Skip to main content

Bytes

3 CVEs product

Monthly

CVE-2026-11702 HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. Reported by CPANSec with an upstream fix; EPSS is low (0.16%, 5th percentile) and there is no public exploit identified at time of analysis.

Information Disclosure Bytes
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11625 HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. No public exploit is identified at time of analysis, and EPSS is low (0.16%, 6th percentile); CPANSec reported it and an upstream fix is available.

Information Disclosure Bytes
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-25541 Cargo HIGH POC PATCH This Week

Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.

Integer Overflow Bytes
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure::Tiny (versions through 1.011) occurs because a PRNG object initialized before a fork() shares its ISAAC engine state across all child processes, causing every child to emit identical 'random' streams. Multiprocess Perl applications (e.g., preforking web servers) that create one generator and reuse it after forking will produce duplicate session tokens, keys, salts, or nonces across workers. Reported by CPANSec with an upstream fix; EPSS is low (0.16%, 5th percentile) and there is no public exploit identified at time of analysis.

Information Disclosure Bytes
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Predictable secret generation in the Perl module Bytes::Random::Secure (versions through 0.29) occurs because the module fails to detect process forks, causing parent and child processes to share identical PRNG internal state. Applications that instantiate a generator object before fork()ing - or that use the module's functional (procedural) interface - will emit identical random streams across processes, making session tokens, keys, salts, and other secrets predictable across workers. No public exploit is identified at time of analysis, and EPSS is low (0.16%, 6th percentile); CPANSec reported it and an upstream fix is available.

Information Disclosure Bytes
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.

Integer Overflow Bytes
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy