CVE-2025-40913

Description

Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

ATRODO / Net::Dropbear0.01 – 0.16

References

CONFIRMhttps://www.cve.org/CVERecord?id=CVE-2023-36328
PATCHhttps://github.com/libtom/libtommath/pull/546
VENDOR_ADVISORYhttps://github.com/advisories/GHSA-j3xv-6967-cv88
MISChttps://metacpan.org/release/ATRODO/Net-Dropbear-0.16/source/dropbear/libtommath/bn_mp_grow.c