CVE-2026-11625: CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) in DAVIDO Bytes::Random::Secure
Bytes::Random::Secure versions up to 0.29 for Perl have a vulnerability where the internal state of the pseudo-random number generator (PRNG) is shared across forked processes. This occurs when an object is initialized before forking or when the functional interface is used, causing identical random streams in multiple processes. As a result, secrets generated in multiprocess applications can be predictable across these processes.
AI Analysis
Technical Summary
The vulnerability in DAVIDO Bytes::Random::Secure (CVE-2026-11625) involves incorrect usage of seeds in the PRNG, specifically the sharing of internal state across forked processes. When the PRNG object is created before a fork or when using the functional interface, the internal state is duplicated, leading to identical random sequences in child processes. This predictability undermines the security of secrets generated in multiprocess environments, as the random values are not independent per process.
Potential Impact
Secrets generated by the PRNG in multiprocess Perl applications using Bytes::Random::Secure versions up to 0.29 may be predictable due to shared internal state after forking. This predictability can compromise the confidentiality and security of cryptographic operations relying on these random values.
Mitigation Recommendations
No official patch or remediation level is currently provided. Users should avoid initializing PRNG objects before forking or using the functional interface in multiprocess applications until a fix is available. Monitor the vendor advisory for updates on patches or official fixes.
CVE-2026-11625: CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) in DAVIDO Bytes::Random::Secure
Description
Bytes::Random::Secure versions up to 0.29 for Perl have a vulnerability where the internal state of the pseudo-random number generator (PRNG) is shared across forked processes. This occurs when an object is initialized before forking or when the functional interface is used, causing identical random streams in multiple processes. As a result, secrets generated in multiprocess applications can be predictable across these processes.
Affected software
pkg:github/Bytes-Random-SecureRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in DAVIDO Bytes::Random::Secure (CVE-2026-11625) involves incorrect usage of seeds in the PRNG, specifically the sharing of internal state across forked processes. When the PRNG object is created before a fork or when using the functional interface, the internal state is duplicated, leading to identical random sequences in child processes. This predictability undermines the security of secrets generated in multiprocess environments, as the random values are not independent per process.
Potential Impact
Secrets generated by the PRNG in multiprocess Perl applications using Bytes::Random::Secure versions up to 0.29 may be predictable due to shared internal state after forking. This predictability can compromise the confidentiality and security of cryptographic operations relying on these random values.
Mitigation Recommendations
No official patch or remediation level is currently provided. Users should avoid initializing PRNG objects before forking or using the functional interface in multiprocess applications until a fix is available. Monitor the vendor advisory for updates on patches or official fixes.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-06-08T21:02:09.596Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3e3c4d4853345fc18a5eca
Added to database: 06/26/2026, 08:46:05 UTC
Last enriched: 06/26/2026, 09:01:08 UTC
Last updated: 06/26/2026, 09:01:08 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.