HarborGuard / CVE
Back to search
HIGHCVE-2026-41565Published Modified CNA CPANSec

CVE-2026-41565: CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers

CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers. The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three. Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Stack-based buffer overflow in CryptX (Perl) before version 0.088_001 affecting four AEAD decrypt_verify helper routines: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. The flaw is reachable over the network without authentication, triggered by supplying an authentication tag longer than 144 bytes to any affected helper that forwards caller-controlled input. Successful exploitation crashes the affected service, causing a denial of service. A patched-image rebuild at version 0.088_001 is available on HarborGuard for environments running an affected version of CryptX.

HarborGuard Coverage

Detection

Detection of CVE-2026-41565 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec advisories) within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Perl and CryptX. Coverage extends to indirect inclusions where CryptX is pulled in as a transitive dependency.

Available
Triage

Triage is available with a CVSS v3.1 score of 7.5 (HIGH), surfaced alongside per-environment compliance policy weighting so teams can calibrate urgency against their own risk thresholds. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at CryptX 0.088_001 becomes available on HarborGuard for any scanned image found to contain an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The affected AEAD decrypt_verify helpers are reachable over the network, so an attacker must be able to send crafted input to an exposed service that forwards attacker-controlled tag data to one of the vulnerable routines.

  • AuthenticationNot required

    No credentials or account are needed; the overflow can be triggered by any unauthenticated caller that can supply an oversized authentication tag to the affected endpoint.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker interacts directly with the target service.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free once the attacker can deliver a tag value longer than 144 bytes to an affected helper.

Blast Radius

  • Crashes the process hosting the affected Perl application, taking the service offline for the duration of the outage.
  • Any in-flight requests being processed at the time of the crash are dropped, causing data loss for those operations.
  • Repeated triggering of the overflow enables a persistent denial-of-service condition against the affected service.

How HarborGuard Handles This

Available on HarborGuard: images containing CryptX versions prior to 0.088_001 are flagged automatically as part of each scan cycle, with the finding scored at CVSS 7.5 HIGH. A rebuild targeting CryptX 0.088_001 is available the moment an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the patched rebuild, executes regression tests against the resulting image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the patched rebuild is staged and a notification is sent to the configured team inbox for review and promotion.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0.088_001
Affected Products
1

Fix available

0.088_001
Patch commits
Affected packages
  • MIK / CryptX
    < 0.088_001 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References