{"url":"http://public2.vulnerablecode.io/api/packages/196277?format=json","purl":"pkg:deb/debian/libcryptx-perl@0.085-1%2Bdeb13u1","type":"deb","namespace":"debian","name":"libcryptx-perl","version":"0.085-1+deb13u1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.089-1","latest_non_vulnerable_version":"0.089-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75803?format=json","vulnerability_id":"VCID-9341-vq43-5kgs","summary":"Perl CryptX before version 0.087 contains a dependency that may be susceptible to an integer overflow.  CryptX embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-40914","reference_id":"","reference_type":"","scores":[{"value":"0.00538","scoring_system":"epss","scoring_elements":"0.67944","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00538","scoring_system":"epss","scoring_elements":"0.67929","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00538","scoring_system":"epss","scoring_elements":"0.67941","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00538","scoring_system":"epss","scoring_elements":"0.67951","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-40914"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40914","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-40914"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107697","reference_id":"1107697","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107697"},{"reference_url":"https://metacpan.org/release/MIK/CryptX-0.086/source/src/ltm/bn_mp_grow.c","reference_id":"bn_mp_grow.c","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-11T14:33:49Z/"}],"url":"https://metacpan.org/release/MIK/CryptX-0.086/source/src/ltm/bn_mp_grow.c"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2023-36328","reference_id":"CVERecord?id=CVE-2023-36328","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-11T14:33:49Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2023-36328"},{"reference_url":"https://github.com/advisories/GHSA-j3xv-6967-cv88","reference_id":"GHSA-j3xv-6967-cv88","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-06-11T14:33:49Z/"}],"url":"https://github.com/advisories/GHSA-j3xv-6967-cv88"},{"reference_url":"https://usn.ubuntu.com/8128-1/","reference_id":"USN-8128-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/8128-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196278?format=json","purl":"pkg:deb/debian/libcryptx-perl@0.089-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcryptx-perl@0.089-1"}],"aliases":["CVE-2025-40914"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9341-vq43-5kgs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/59059?format=json","vulnerability_id":"VCID-waad-yckk-yuhz","summary":"perl-CryptX: perl-CryptX: Stack buffer overflow allows arbitrary code execution via a crafted authentication tag.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41565.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-41565.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41565","reference_id":"","reference_type":"","scores":[{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28921","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.29015","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.2898","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.28945","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0011","scoring_system":"epss","scoring_elements":"0.2891","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41565"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41565","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41565"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482740","reference_id":"2482740","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2482740"},{"reference_url":"https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1.patch","reference_id":"57e69e541b0718ca8724c2f61514322a2d859bc1.patch","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:53:14Z/"}],"url":"https://github.com/DCIT/perl-CryptX/commit/57e69e541b0718ca8724c2f61514322a2d859bc1.patch"},{"reference_url":"https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch","reference_id":"7e56347d420aaf43b2ee1586f4a230492ccf1642.patch","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:53:14Z/"}],"url":"https://github.com/DCIT/perl-CryptX/commit/7e56347d420aaf43b2ee1586f4a230492ccf1642.patch"},{"reference_url":"https://metacpan.org/release/MIK/CryptX-0.088_001","reference_id":"CryptX-0.088_001","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:53:14Z/"}],"url":"https://metacpan.org/release/MIK/CryptX-0.088_001"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196278?format=json","purl":"pkg:deb/debian/libcryptx-perl@0.089-1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcryptx-perl@0.089-1"}],"aliases":["CVE-2026-41565"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-waad-yckk-yuhz"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75804?format=json","vulnerability_id":"VCID-8et5-tcda-tfhd","summary":"CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking.  The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and any randomized operation they perform can produce identical output, including key generation. Two ECDSA or DSA signatures from different processes are enough to recover the signing private key through nonce-reuse key recovery.  This affects preforking services such as the Starman web server, where a Crypt::PK::* object loaded at startup is inherited by every worker process.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41564","reference_id":"","reference_type":"","scores":[{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03016","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02919","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.03024","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02955","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00015","scoring_system":"epss","scoring_elements":"0.02971","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41564"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41564","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41564"},{"reference_url":"https://github.com/DCIT/perl-CryptX/commit/9a1dd3e0c27d68e32450be5538b864c2b115ee15.patch","reference_id":"9a1dd3e0c27d68e32450be5538b864c2b115ee15.patch","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:05:18Z/"}],"url":"https://github.com/DCIT/perl-CryptX/commit/9a1dd3e0c27d68e32450be5538b864c2b115ee15.patch"},{"reference_url":"https://metacpan.org/release/MIK/CryptX-0.088","reference_id":"CryptX-0.088","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:05:18Z/"}],"url":"https://metacpan.org/release/MIK/CryptX-0.088"},{"reference_url":"https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6","reference_id":"GHSA-24c2-gp6c-24c6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-23T13:05:18Z/"}],"url":"https://github.com/DCIT/perl-CryptX/security/advisories/GHSA-24c2-gp6c-24c6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/196277?format=json","purl":"pkg:deb/debian/libcryptx-perl@0.085-1%2Bdeb13u1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9341-vq43-5kgs"},{"vulnerability":"VCID-waad-yckk-yuhz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcryptx-perl@0.085-1%252Bdeb13u1"}],"aliases":["CVE-2026-41564"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8et5-tcda-tfhd"}],"risk_score":"4.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/libcryptx-perl@0.085-1%252Bdeb13u1"}