CVE-2026-2597 is a heap-based buffer overflow vulnerability identified in the Perl module Crypt::SysRandom::XS, specifically in versions prior to 0.010. The issue resides in the XS function random_bytes(), which is designed to generate random bytes of a specified length. The vulnerability arises because the function does not validate that the length parameter is non-negative. If a negative value, such as -1, is supplied, the expression length + 1u (unsigned) causes an integer wraparound, resulting in an allocation of zero bytes on the heap. However, the subsequent call to the underlying random number generation function (e.g., getrandom) uses the original negative length value, which is implicitly converted to a very large unsigned integer (commonly SIZE_MAX). This mismatch causes the function to write beyond the allocated buffer, corrupting heap memory. The corruption can lead to application crashes, resulting in denial of service. While the vulnerability is severe in terms of memory safety, exploitation is limited by the fact that the length parameter is typically hardcoded by developers, reducing the chance of attacker-controlled input. However, applications that pass untrusted or user-controlled input to random_bytes() are at risk. No public exploits have been reported to date. The vulnerability is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-1284 (Improper Validation of Array Index). No CVSS score has been assigned yet.

The primary impact of this vulnerability is denial of service due to application crashes caused by heap memory corruption. In environments where the length parameter to random_bytes() can be influenced by an attacker, this could lead to repeated crashes, disrupting service availability. Although no known exploits exist, the heap corruption could potentially be leveraged for more advanced attacks such as remote code execution or privilege escalation if combined with other vulnerabilities or memory corruption techniques. Organizations relying on Crypt::SysRandom::XS for cryptographic randomness in Perl applications may face stability issues or service interruptions. The risk is higher for applications that accept untrusted input for the length parameter, which could be exploited to trigger the overflow. Given the widespread use of Perl in web applications, system scripts, and automation, affected systems could include web servers, backend services, and security tools that depend on this module. The lack of authentication or user interaction requirements for triggering the vulnerability increases the risk in scenarios where input is not properly sanitized.

To mitigate this vulnerability, organizations should immediately upgrade Crypt::SysRandom::XS to version 0.010 or later once available, where proper validation of the length parameter is implemented. Until a patched version is released, developers should audit their code to ensure that the length argument passed to random_bytes() is strictly validated and never derived from untrusted or user-controlled input. Implement input validation checks to reject negative or out-of-range values before calling random_bytes(). Employ runtime protections such as heap memory corruption detection tools (e.g., AddressSanitizer) during development and testing to catch potential misuse. Additionally, consider applying application-level sandboxing or process isolation to limit the impact of potential crashes. Monitoring application logs for crashes or abnormal behavior related to random_bytes() calls can help detect exploitation attempts. Finally, maintain an inventory of Perl modules in use and track updates from the vendor to apply patches promptly.