CVE-2026-30910

{"id": "CVE-2026-30910", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-08T02:16:00.620", "references": [{"url": "https://metacpan.org/release/IAMB/Crypt-Sodium-XS-0.001001/changes", "tags": ["Release Notes"], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/08/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "description": [{"lang": "en", "value": "CWE-190"}]}], "descriptions": [{"lang": "en", "value": "Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows.\n\nCombined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. This can cause a crash in bin2hex and encryption algorithms other than aes256gcm. For aes256gcm encryption and signatures, an undersized buffer could lead to buffer overflow.\n\nEncountering this issue is unlikely as the message length would need to be very large.\n\nFor bin2hex the input size would have to be > SIZE_MAX / 2 For aegis encryption the input size would need to be > SIZE_MAX - 32U For other encryption the input size would need to be > SIZE_MAX - 16U For signatures the input size would need to be > SIZE_MAX - 64U"}, {"lang": "es", "value": "Las versiones de Crypt::Sodium::XS hasta la 0.001000 para Perl tienen posibles desbordamientos de enteros.\n\nEl cifrado AEAD combinado, la creaci\u00f3n de firmas combinada y las funciones bin2hex no verifican que el tama\u00f1o de salida sea menor que SIZE_MAX, lo que podr\u00eda llevar a un 'integer wraparound' causando un b\u00fafer de salida de tama\u00f1o insuficiente. Esto puede causar un fallo en bin2hex y en algoritmos de cifrado distintos de aes256gcm. Para el cifrado aes256gcm y las firmas, un b\u00fafer de tama\u00f1o insuficiente podr\u00eda llevar a un desbordamiento de b\u00fafer.\n\nEs poco probable encontrar este problema, ya que la longitud del mensaje tendr\u00eda que ser muy grande.\n\nPara bin2hex, el tama\u00f1o de entrada tendr\u00eda que ser > SIZE_MAX / 2\nPara el cifrado aegis, el tama\u00f1o de entrada tendr\u00eda que ser > SIZE_MAX - 32U\nPara otros cifrados, el tama\u00f1o de entrada tendr\u00eda que ser > SIZE_MAX - 16U\nPara las firmas, el tama\u00f1o de entrada tendr\u00eda que ser > SIZE_MAX - 64U"}], "lastModified": "2026-03-10T18:18:51.633", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:iamb:crypt\\:\\:sodium\\:\\:xs:*:*:*:*:*:perl:*:*", "vulnerable": true, "matchCriteriaId": "36F9F8AC-0EDB-4FA5-9E11-1F85AC15D3E8", "versionEndIncluding": "0.001001"}], "operator": "OR"}]}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e"}