CVE-2026-30910 is an integer overflow vulnerability classified under CWE-190 affecting the Perl module Crypt::Sodium::XS through version 0.001000. The flaw arises because the combined AEAD encryption, combined signature creation, and bin2hex functions do not validate that the output buffer size calculations remain below the maximum size representable by the system (SIZE_MAX). When processing very large input messages, this lack of validation can cause integer wraparound, resulting in an undersized output buffer. For bin2hex, this occurs if the input size exceeds SIZE_MAX / 2; for AEAD encryption, if input size exceeds SIZE_MAX minus 32 bytes; for other encryption algorithms, if input size exceeds SIZE_MAX minus 16 bytes; and for signature creation, if input size exceeds SIZE_MAX minus 64 bytes. The consequence is that the undersized buffer leads to crashes in bin2hex and non-AES256-GCM encryption algorithms, while AES256-GCM encryption and signature functions may experience buffer overflows, potentially leading to memory corruption. Exploitation does not require authentication or user interaction and can be performed remotely (network vector). However, the extremely large input sizes required make exploitation unlikely in typical scenarios. The vulnerability impacts availability primarily through crashes and may impact integrity via buffer overflow-induced memory corruption. No patches were linked at the time of disclosure, and no known exploits have been reported in the wild. The CVSS v3.1 base score is 7.5 (high), reflecting the network attack vector, no required privileges or user interaction, and significant availability impact.

This vulnerability can cause denial of service conditions by crashing applications using Crypt::Sodium::XS for cryptographic operations, impacting availability. In cases involving AES256-GCM encryption and signature creation, buffer overflows could lead to memory corruption, which might be leveraged for more severe attacks such as arbitrary code execution or data integrity compromise, although no such exploits are known currently. Organizations relying on this Perl module for encryption or signature services could face service disruptions or potential security breaches if processing extremely large inputs. The rarity of such large inputs reduces the likelihood of widespread exploitation, but high-value targets or automated systems processing large data streams could be at risk. The lack of authentication and user interaction requirements increases the attack surface, as attackers can attempt exploitation remotely without credentials. Overall, the threat primarily affects availability and potentially integrity, with confidentiality impact considered negligible.

Organizations should monitor for official patches or updates from the Crypt::Sodium::XS maintainers and apply them promptly once available. Until patches are released, implement strict input validation to reject or limit message sizes well below the thresholds that trigger integer wraparound (e.g., significantly less than SIZE_MAX / 2 for bin2hex and corresponding limits for encryption and signature functions). Employ runtime protections such as memory safety tools or address sanitizers during development and testing to detect potential buffer overflows. Review and audit any custom code interfacing with Crypt::Sodium::XS to ensure it does not inadvertently pass large inputs that could trigger the vulnerability. Consider isolating or sandboxing services using this module to limit impact in case of exploitation. Maintain robust monitoring and logging to detect abnormal crashes or memory corruption events that could indicate attempted exploitation. Finally, educate developers and security teams about the risks of integer overflows in cryptographic libraries and the importance of input size checks.