{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5086", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "state": "PUBLISHED", "assignerShortName": "CPANSec", "dateReserved": "2026-03-28T19:22:27.564Z", "datePublished": "2026-04-13T22:54:53.724Z", "dateUpdated": "2026-04-15T20:03:28.442Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "packageName": "Crypt-SecretBuffer", "product": "Crypt::SecretBuffer", "programFiles": ["SecretBuffer.xs"], "programRoutines": [{"name": "Crypt::SecretBuffer::memcmp"}], "repo": "https://github.com/nrdvana/perl-Crypt-SecretBuffer", "vendor": "NERDVANA", "versions": [{"lessThan": "0.019", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.\n\nFor example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-13T22:54:53.724Z"}, "references": [{"tags": ["release-notes"], "url": "https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes"}], "solutions": [{"lang": "en", "value": "Upgrade to version 0.019 or later."}], "source": {"discovery": "UNKNOWN"}, "title": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks", "x_generator": {"engine": "cpansec-cna-tool 0.1"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/13/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T01:34:38.681Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T19:59:41.270630Z", "id": "CVE-2026-5086", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:03:28.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/13/12"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-14T01:34:38.681Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5086", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T19:59:41.270630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T20:00:10.997Z"}}], "cna": {"title": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/nrdvana/perl-Crypt-SecretBuffer", "vendor": "NERDVANA", "product": "Crypt::SecretBuffer", "versions": [{"status": "affected", "version": "0", "lessThan": "0.019", "versionType": "custom"}], "packageName": "Crypt-SecretBuffer", "programFiles": ["SecretBuffer.xs"], "collectionURL": "https://cpan.org/modules", "defaultStatus": "unaffected", "programRoutines": [{"name": "Crypt::SecretBuffer::memcmp"}]}], "solutions": [{"lang": "en", "value": "Upgrade to version 0.019 or later."}], "references": [{"url": "https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes", "tags": ["release-notes"]}], "x_generator": {"engine": "cpansec-cna-tool 0.1"}, "descriptions": [{"lang": "en", "value": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.\n\nFor example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "providerMetadata": {"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "shortName": "CPANSec", "dateUpdated": "2026-04-13T22:54:53.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5086", "state": "PUBLISHED", "dateUpdated": "2026-04-15T20:03:28.442Z", "dateReserved": "2026-03-28T19:22:27.564Z", "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "datePublished": "2026-04-13T22:54:53.724Z", "assignerShortName": "CPANSec"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nerdvana:crypt\\:\\:secretbuffer:*:*:*:*:*:perl:*:*", "matchCriteriaId": "93A2172E-D859-484C-BF39-687B58BCC991", "versionEndExcluding": "0.019", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.\n\nFor example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password."}], "id": "CVE-2026-5086", "lastModified": "2026-05-06T17:16:49.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T23:16:27.990", "references": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product", "Release Notes"], "url": "https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2026/04/13/12"}], "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.019)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Crypt::SecretBuffer", "source": "cna", "vendor": "NERDVANA"}, "product": "crypt::secretbuffer", "vendor": "nerdvana"}], "analysis": {"en": {"generated_at": "2026-04-16T02:35:13.996029+00:00", "value": {"mitigation_remediation": ["Upgrade Crypt::SecretBuffer to version 0.019 or later", "Replace usage of the module in password comparison with a constant\u2011time comparison routine from a vetted library (e.g., Digest::SHA or Crypt::VerifyPassword) as a temporary measure if immediate upgrade is not possible", "Conduct a code review and penetration testing focused on timing side channels for authentication logic to ensure no other vulnerable comparisons remain"], "summary": {"action": "Patch", "impact": "Timing attack reveals secrets"}, "threat_synthesis": {"affected_systems": "The Vulnerable component is the NERDVANA Crypt::SecretBuffer Perl module. All releases older than version 0.019 contain the flaw and are susceptible while the module is used to store or compare secrets.", "description_and_impact": "Versions of Crypt::SecretBuffer prior to 0.019 allow measurable timing differences during secret comparisons. An attacker can exploit these non\u2011constant\u2011time operations to infer passwords or other sensitive data, compromising confidentiality. The weakness corresponds to the common software defect in which comparisons depend on data value, classified as CWE\u2011208.", "risk_and_exploitability": "Based on the description, the likely attack vector involves an attacker triggering the module locally or observing its execution timing, requiring moderate skill and repeated trials to mount a successful timing attack. The vulnerability has a CVSS score of 7.5 and an EPSS score of <1%, indicating high severity but a very low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The overall risk is significant for applications relying on this module for password handling."}}}}, "created": "2026-04-14T16:16:58.876059+00:00", "updated": "2026-04-16T02:45:06.081700+00:00", "vendors": ["nerdvana", "nerdvana$PRODUCT$crypt::secretbuffer"]}