CVE-2026-57080 | Net::BitTorrent versions through 2.0.1 for Perl allow remote… | CVSS 7.5 HIGH

Description

Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix. The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit. Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process's memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.

Metadata

CVE ID: CVE-2026-57080
State: PUBLISHED
Assigner: CPANSec
Reserved: 2026-06-23 18:20 UTC
Published: 2026-06-30 11:04 UTC
Last updated: 2026-06-30 13:48 UTC
Primary CWE: CWE-770
CWE-770 Allocation of Resources Without Limits or Throttling
Vendor / Product: SANKO / Net::BitTorrent
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SANKO	Net::BitTorrent	—	0 ≤ 2.0.1

Weakness (CWE)

CWE	Source	Description
CWE-400	cna	CWE-400 Uncontrolled Resource Consumption
CWE-770	cna	CWE-770 Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://github.com/sanko/Net-BitTorrent.pm/security/advisories/GHSA-7jr6-2jf4-6qc4