CVE-2026-2474 identifies a heap-based buffer overflow vulnerability in the Perl module Crypt::URandom, specifically in versions from 0.41 before 0.55. The vulnerability exists in the XS function crypt_urandom_getrandom(), which is responsible for generating random bytes. The function accepts a length parameter that is expected to be non-negative. However, it does not validate this parameter properly. If a negative value such as -1 is passed, the expression length + 1u causes an integer wraparound due to unsigned integer arithmetic, resulting in a zero-byte allocation for the buffer. Subsequently, the getrandom() system call is invoked with the original negative length value, which is implicitly converted to a very large unsigned integer (typically SIZE_MAX). This leads to writes beyond the allocated buffer, causing heap memory corruption and potentially crashing the application, resulting in a denial of service condition. While the vulnerability could theoretically allow memory corruption, exploitation is limited because the length parameter is often hardcoded by developers, reducing the chance of attacker-controlled input. However, applications that pass untrusted or user-supplied input to this parameter are vulnerable. No public exploits or active exploitation have been reported to date. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Improper Validation of Array Index or Pointer Offset). No CVSS score has been assigned yet. The vulnerability was published on February 16, 2026, and affects the DDICK Crypt::URandom Perl module, a component used for cryptographically secure random number generation in Perl applications.

For European organizations, the primary impact of CVE-2026-2474 is the risk of denial of service through application crashes caused by heap memory corruption. This could disrupt services relying on Perl applications that use the vulnerable Crypt::URandom module, particularly if those applications accept untrusted input for the length parameter. While the vulnerability does not directly enable remote code execution or data leakage, heap corruption could potentially be leveraged in complex attack chains, increasing risk in sensitive environments. Organizations in sectors such as finance, telecommunications, and critical infrastructure that use Perl-based software for cryptographic operations or random number generation may experience service outages or degraded reliability. The absence of known exploits reduces immediate risk, but the vulnerability's presence in open-source Perl modules means that attackers could develop exploits if untrusted input usage is common. Additionally, denial of service attacks could be used as part of larger multi-vector attacks targeting European organizations. The impact is heightened in environments where high availability and cryptographic integrity are critical.

To mitigate CVE-2026-2474, European organizations should first identify all instances of Crypt::URandom versions 0.41 up to but not including 0.55 in their environments. Since no patch links are currently available, organizations should monitor vendor and community updates for a fixed version and apply it promptly once released. In the interim, developers should audit all code invoking crypt_urandom_getrandom() to ensure the length parameter is never derived from untrusted or user-controlled input. Implement strict input validation to reject negative or out-of-range values before passing them to the function. Consider adding additional runtime checks or wrappers around the vulnerable function to enforce parameter constraints. For critical systems, consider isolating or sandboxing Perl applications using this module to limit the impact of potential crashes. Regularly review application logs and monitor for abnormal crashes or memory corruption symptoms that could indicate exploitation attempts. Finally, incorporate this vulnerability into vulnerability management and incident response plans to ensure rapid detection and remediation.