| Name | CVE-2026-11625 |
| Description | Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes. When an object is initialised before forking, or when the functional interface is used, then the internal state for the PRNG is shared across processes and identical random streams will be produced. Secrets generated in multiprocess applications are predictable across processes. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libbytes-random-secure-perl (PTS) | bullseye | 0.29-1 | vulnerable |
| forky, bookworm, trixie | 0.29-3 | vulnerable | |
| sid | 0.29-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libbytes-random-secure-perl | source | (unstable) | 0.29-4 |
[trixie] - libbytes-random-secure-perl <no-dsa> (Minor issue; will be fixed via point release)
[bookworm] - libbytes-random-secure-perl <no-dsa> (Minor issue; will be fixed via point release)
[bullseye] - libbytes-random-secure-perl <postponed> (Minor issue; can be fixed in next update)
https://lists.security.metacpan.org/cve-announce/msg/41305966/
https://github.com/daoswald/Bytes-Random-Secure/issues/3
https://github.com/daoswald/Bytes-Random-Secure/pull/4
https://security.metacpan.org/patches/B/Bytes-Random-Secure/0.29/CVE-2026-11625-r1.patch