CVE-2026-12205

Vulnerability

Crypt::DSA versions before 1.21 for Perl reuse the DSA nonce (k) across multiple signing operations. The sign() method caches the nonce material in the Key object without clearing it, so the first call picks a nonce and every subsequent call reuses it, producing an identical "r" value. This is a CWE-323: Reusing a Nonce, Key Pair in Encryption vulnerability. All keys used to sign more than once with an affected version should be considered compromised [1][2].

Exploitation

An attacker needs access to two distinct DSA signatures produced by the same key using an affected version. No special network position or authentication beyond obtaining the two signatures and their corresponding messages is required. The known mathematical relationship between the two signatures and messages allows recovery of the private key [1][2].

Impact

Successful exploitation recovers the full DSA private key. This enables the attacker to forge signatures on arbitrary messages, impersonate the legitimate key holder, or decrypt any data that relies on the key for trust. The impact is complete compromise of the cryptographic identity and any systems depending on it [1][2].

Mitigation

Fixed in version 1.21, released 2026-06-14. The fix ensures that a fresh nonce is generated for every signature. The module is now marked as deprecated; Crypt-DSA-GMP is a suggested replacement. Keys used to sign more than once with an affected version should be considered compromised [1]. No workaround is available for the vulnerability beyond upgrading.