CVE-2026-2588CRITICAL 9.1EPSS p26.3%

CVE-2026-2588CVE-2026-2588

Description

Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems. Sodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.3% · 2026-06-18T12:00:27Z
Published2026-02-23
Last modified2026-03-04

Underlying weaknesses· 1

CWE-190

References

  1. https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch
  2. https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch
  3. https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119

1

TypeTargetConfidenceTier
WeaknessInteger Overflow or Wraparoundcwe-1900%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-30909
CVE
CVE-2025-15444
CVE
CVE-2025-40914
CVE
CVE-2026-8507
CVE
CVE-2026-3257
CVE
CVE-2026-8721
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.