CVE-2026-57082

Source
https://cve.org/CVERecord?id=CVE-2026-57082
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57082.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57082
Aliases
  • GHSA-g444-x2c5-94hc
Published
2026-06-30T11:05:33.709Z
Modified
2026-07-15T01:49:20.210540708Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG
Details

Net::BitTorrent versions through 2.0.1 for Perl generate the MSE Diffie-Hellman private key with a non-cryptographic PRNG.

The MSE (Message Stream Encryption) handshake derives its 160-bit Diffie-Hellman private key from Perl's rand(), a non-cryptographic drand48-class generator seeded once per process, in KeyExchange.pm. The shared secret and the RC4 keys derived from it (the SHA-1 of "keyA" or "keyB", the shared secret, and the infohash) therefore depend entirely on a predictable PRNG. The same handshake sends, in cleartext, random padding drawn from the same rand() sequence in randompad, immediately after the public key and the private-key draw.

A passive observer of the handshake recovers the PRNG state from the cleartext padding, reconstructs the private key, computes the shared secret from the peer's public key on the wire, derives the RC4 keys, and decrypts the connection, defeating the passive-observation obfuscation MSE provides.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57082.json",
    "cwe_ids": [
        "CWE-330",
        "CWE-338"
    ],
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/sanko/net-bittorrent.pm

Affected ranges

Type
GIT
Repo
https://github.com/sanko/net-bittorrent.pm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.0.1"
        },
        {
            "fixed": "2.0.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION"
    ]
}

Affected versions

v2.*
v2.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57082.json"