CVE-2026-57080: CWE-770 Allocation of Resources Without Limits or Throttling in SANKO Net::BitTorrent
Net::BitTorrent versions up to 2.0.1 for Perl have a vulnerability where remote peers can cause memory exhaustion by sending an uncapped message-length prefix. The software trusts a 4-byte length prefix from peers without an upper bound, allowing a peer to announce a very large message length and cause the input buffer to grow without limit. This can exhaust memory resources of the downloading process. Legitimate messages are much smaller, making large length prefixes anomalous.
AI Analysis
Technical Summary
CVE-2026-57080 is a resource exhaustion vulnerability in SANKO's Net::BitTorrent Perl module versions up to 2.0.1. The vulnerability arises because the peer-wire protocol implementation trusts the 4-byte length prefix from connected peers without enforcing an upper bound. The receive_data function appends all incoming bytes to the input buffer, and the decoder waits until the full message is received before processing. A malicious peer can announce a message length of up to approximately 4 GiB and stream that many bytes, causing the buffer to grow without limit and exhaust memory. Peer connections are unauthenticated, so any peer in the swarm can exploit this to exhaust the downloader's memory. The largest legitimate message is a 16 KiB piece block, so any length prefix significantly larger than this is anomalous and indicative of an attack.
Potential Impact
An attacker controlling a peer in the BitTorrent swarm can cause the target process running Net::BitTorrent to exhaust its memory resources by sending a large message-length prefix and streaming a correspondingly large message. This can lead to denial of service due to memory exhaustion. There is no indication of code execution or data corruption from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider limiting exposure to untrusted peers or implementing network-level controls to detect and block anomalous large message-length prefixes. Since peer connections are unauthenticated, restricting connections to trusted peers may reduce risk.
CVE-2026-57080: CWE-770 Allocation of Resources Without Limits or Throttling in SANKO Net::BitTorrent
Description
Net::BitTorrent versions up to 2.0.1 for Perl have a vulnerability where remote peers can cause memory exhaustion by sending an uncapped message-length prefix. The software trusts a 4-byte length prefix from peers without an upper bound, allowing a peer to announce a very large message length and cause the input buffer to grow without limit. This can exhaust memory resources of the downloading process. Legitimate messages are much smaller, making large length prefixes anomalous.
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-57080 is a resource exhaustion vulnerability in SANKO's Net::BitTorrent Perl module versions up to 2.0.1. The vulnerability arises because the peer-wire protocol implementation trusts the 4-byte length prefix from connected peers without enforcing an upper bound. The receive_data function appends all incoming bytes to the input buffer, and the decoder waits until the full message is received before processing. A malicious peer can announce a message length of up to approximately 4 GiB and stream that many bytes, causing the buffer to grow without limit and exhaust memory. Peer connections are unauthenticated, so any peer in the swarm can exploit this to exhaust the downloader's memory. The largest legitimate message is a 16 KiB piece block, so any length prefix significantly larger than this is anomalous and indicative of an attack.
Potential Impact
An attacker controlling a peer in the BitTorrent swarm can cause the target process running Net::BitTorrent to exhaust its memory resources by sending a large message-length prefix and streaming a correspondingly large message. This can lead to denial of service due to memory exhaustion. There is no indication of code execution or data corruption from the provided information.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider limiting exposure to untrusted peers or implementing network-level controls to detect and block anomalous large message-length prefixes. Since peer connections are unauthenticated, restricting connections to trusted peers may reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-06-23T18:20:33.514Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43addd27e9c79719af497b
Added to database: 06/30/2026, 11:51:57 UTC
Last enriched: 06/30/2026, 12:06:54 UTC
Last updated: 06/30/2026, 12:06:54 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.