CVE-2026-2588 | THREATINT

Description

Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems. Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits.

PUBLISHED Reserved 2026-02-16 | Published 2026-02-22 | Updated 2026-02-23 | Assigner CPANSec

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status

unaffected

Any version

affected

Credits

Timothy Legge (timlegge) finder

References

metacpan.org/...GGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs related

github.com/...8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch patch

github.com/...557388bdb4da416a56663cda0154b80cd524395c.patch patch

cve.org (CVE-2026-2588)

nvd.nist.gov (CVE-2026-2588)

Download JSON