CVE-2026-57080
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-400
Consumo de recursos no controlado (Agotamiento de recursos)
Fecha de publicación:
30/06/2026
Última modificación:
30/06/2026
Descripción
*** Pendiente de traducción *** Net::BitTorrent versions through 2.0.1 for Perl allow remote memory exhaustion via an uncapped peer-wire message-length prefix.<br />
<br />
The peer-wire framing in _process_messages trusts the 4-byte length prefix sent by a connected peer with no upper bound, while receive_data appends every inbound byte to the input buffer. A peer announces a length prefix of up to about 4 GiB and then streams bytes; the decoder waits until the buffer holds the full message before processing it, so the buffer grows without limit.<br />
<br />
Peer connections are unauthenticated, so any peer in the swarm exhausts the downloading process&#39;s memory. The largest legitimate message is a 16 KiB piece block, so any announced length far above that is anomalous.
Impacto
Puntuación base 3.x
7.50
Gravedad 3.x
ALTA



