CVE-2026-11702

Description

Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes. When an object is initialised before forking, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

DAVIDO / Bytes::Random::Secure::Tiny0 – 1.011

References

MISChttps://github.com/daoswald/Bytes-Random-Secure-Tiny/issues/6
PATCHhttps://github.com/daoswald/Bytes-Random-Secure-Tiny/pull/7
MISChttps://security.metacpan.org/patches/B/Bytes-Random-Secure-Tiny/1.011/CVE-2026-11702-r1.patch
CONFIRMhttps://www.cve.org/CVERecord?id=CVE-2026-41564