{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2588", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-02-16T14:52:54.157Z", "datePublished": "2026-02-22T23:31:19.720Z", "dateUpdated": "2026-02-23T18:47:51.202Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-NaCl-Sodium", "product": "Crypt::NaCl::Sodium", "programFiles": ["Sodium.xs"], "repo": "https://github.com/cpan-authors/crypt-nacl-sodium", "vendor": "TIMLEGGE", "versions": [{"lessThanOrEqual": "2.001", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Timothy Legge (timlegge)"}], "descriptions": [{"lang": "en", "value": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-02-22T23:31:19.720Z"}, "references": [{"tags": ["related"], "url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119"}, {"tags": ["patch"], "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch"}, {"tags": ["patch"], "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch"}], "solutions": [{"lang": "en", "value": "Upgrade to version 2.002"}], "source": {"discovery": "UNKNOWN"}, "title": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-23T18:46:11.334461Z", "id": "CVE-2026-2588", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:47:51.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-23T18:46:11.334461Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-23T18:45:23.032Z"}}], "cna": {"title": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Timothy Legge (timlegge)"}], "affected": [{"repo": "https://github.com/cpan-authors/crypt-nacl-sodium", "vendor": "TIMLEGGE", "product": "Crypt::NaCl::Sodium", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.001"}], "packageName": "Crypt-NaCl-Sodium", "programFiles": ["Sodium.xs"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to version 2.002"}], "references": [{"url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119", "tags": ["related"]}, {"url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch", "tags": ["patch"]}, {"url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch", "tags": ["patch"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-02-22T23:31:19.720Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2588", "state": "PUBLISHED", "dateUpdated": "2026-02-23T18:47:51.202Z", "dateReserved": "2026-02-16T14:52:54.157Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-02-22T23:31:19.720Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:timlegge:crypt\\:\\:nacl\\:\\:sodium:*:*:*:*:*:perl:*:*", "matchCriteriaId": "B6016263-ACDC-444F-A4A8-367181F53E71", "versionEndIncluding": "2.001", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits."}, {"lang": "es", "value": "Las versiones de Crypt::NaCl::Sodium hasta la 2.001 para Perl tienen una falla de desbordamiento de entero en sistemas de 32 bits.\n\nSodium.xs convierte un STRLEN (size_t) a unsigned long long al pasar un puntero de longitud a las funciones de libsodium. En sistemas de 32 bits, size_t es t\u00edpicamente de 32 bits, mientras que un unsigned long long es de al menos 64 bits."}], "id": "CVE-2026-2588", "lastModified": "2026-03-04T02:23:33.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-23T00:15:59.330", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"], "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch"}, {"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product", "Release Notes"], "url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.001]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Crypt::NaCl::Sodium", "source": "cna", "vendor": "TIMLEGGE"}, "product": "crypt::nacl::sodium", "vendor": "timlegge"}], "analysis": {"en": {"generated_at": "2026-04-17T16:28:33.391716+00:00", "value": {"mitigation_remediation": ["Upgrade Crypt::NaCl::Sodium to version 2.002 or later.", "Remove the Crypt::NaCl::Sodium module from any application that cannot be updated immediately, or replace it with an alternative cryptographic library.", "Consider migrating the environment to a 64\u2011bit architecture, where the size_t to unsigned long long conversion issue does not exist."], "summary": {"action": "Immediate Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The affected product is the Perl module Crypt::NaCl::Sodium from vendor TIMLEGGE. Versions up to and including 2.001 on 32\u2011bit platforms are impacted. The recommended safe version is 2.002 and later. The vulnerability affects only 32\u2011bit operating systems; 64\u2011bit systems are not susceptible due to the difference in size_t length.", "description_and_impact": "The vulnerability is an integer overflow flaw that occurs on 32\u2011bit systems when the Perl module Crypt::NaCl::Sodium casts a STRLEN (size_t) to an unsigned long long before passing it to libsodium functions. This incorrect type conversion can produce a length value that is too large for the actual buffer, leading to potential memory corruption. The flaw is classified as CWE-190 and carries a CVSS score of 9.1, indicating a severe risk that could allow an attacker to potentially execute arbitrary code or crash the application if exploited. The exact exploitation steps are not specified, but the likely attack vector is through any application that imports and uses the affected module, exploiting the distorted length parameter.", "risk_and_exploitability": "With a CVSS score of 9.1 and an EPSS score of less than 1%, the probability of active exploitation is low but not negligible, and the vulnerability is not currently listed in the CISA KEV catalog. The combination of a very low exploitation probability and a severe severity score still necessitates prompt remediation. Inference indicates that the exploit requires a 32\u2011bit build and an application that relies on the Crypt::NaCl::Sodium module, making it less likely to be widely exploited across all Perl deployments. However, because memory corruption can lead to unpredictable behavior\u2014including potential remote code execution\u2014the risk remains significant if the module is used in sensitive or high\u2011privilege contexts."}}}}, "created": "2026-02-23T14:28:39.425631+00:00", "updated": "2026-04-17T16:30:05.840028+00:00", "vendors": ["timlegge", "timlegge$PRODUCT$crypt::nacl::sodium"]}