Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-57080

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-400 Consumo de recursos no controlado (Agotamiento de recursos)
Fecha de publicación:
30/06/2026
Última modificación:
30/06/2026

Descripción

*** Pendiente de traducción *** Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.<br /> <br /> The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.<br /> <br /> Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process&amp;#39;s memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.