High severity7.5NVD Advisory· Published May 28, 2026· Updated May 29, 2026
CVE-2026-41565
CVE-2026-41565
Description
CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers.
The gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify and eax_decrypt_verify XS routines copied the caller-supplied authentication tag into a fixed 144-byte stack buffer (MAXBLOCKSIZE) without checking the supplied length. A longer tag overwrites the stack past the buffer. Version 0.088 added the clamp to gcm_decrypt_verify, and 0.088_001 added it to the other three.
Any caller of an affected helper that forwards an attacker-controlled tag longer than the buffer can trigger the overflow.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- osv-coords2 versionspkg:rpm/opensuse/perl-CryptX&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/perl-CryptX&distro=openSUSE%20Tumbleweed
< 0.89.0-bp160.1.1+ 1 more
- (no CPE)range: < 0.89.0-bp160.1.1
- (no CPE)range: < 0.89.0-2.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.