CVE-2026-11625

EUVD-2026-39640
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes.

When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced.

Secrets generated in multiprocess applications are predictable across processes.
PRNG
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Debian logo
Debian Releases
Debian Product
Codename
libbytes-random-secure-perl
bookworm
no-dsa
bullseye
vulnerable
forky
vulnerable
sid
0.29-4
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/daoswald/Bytes-Random-Secure/issues/3
https://github.com/daoswald/Bytes-Random-Secure/pull/4
https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch
https://www.cve.org/CVERecord?id=CVE-2026-41564