Home

Description

Crypt::DSA versions before 1.21 for Perl reused the nonce across signatures, leading to private-key recovery. Crypt::DSA::sign caches the per-signature nonce material in the Key object without ever clearing it. The first sign() on a Key object picks a nonce, and every later sign() on that same object reuses it, producing an identical "r". Keys used to sign more than once with an affected version should be considered compromised.

PUBLISHED Reserved 2026-06-14 | Published 2026-06-15 | Updated 2026-06-16 | Assigner CPANSec

Problem types

CWE-323 Reusing a Nonce, Key Pair in Encryption

Product status

Default status
unaffected

Any version before 1.21
affected

Timeline

2026-05-16:Maintainer contacted
2026-06-13:Maintainer and CPANSec contacted
2026-06-14:Fixed version released

Credits

Richard Kettlewell finder

References

www.openwall.com/lists/oss-security/2026/06/15/4

metacpan.org/...LEGGE/Crypt-DSA-1.20/source/lib/Crypt/DSA.pm

metacpan.org/release/TIMLEGGE/Crypt-DSA-1.21/changes release-notes

cve.org (CVE-2026-12205)

nvd.nist.gov (CVE-2026-12205)

Download JSON