/ 
Crypt-SecretBuffer-0.016
Security Advisories (1)
CVE-2026-5086 (2026-04-13)

Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks. For example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.

Changes for version 0.016 - 2025-12-27

  • New append_console_line(prompt => $txt) feature resolves race condition between printing prompt and disabling echo
  • New Crypt::SecretBuffer::ConsoleState utility class lets users disable TTY echo more flexibly
  • Fix bug where ->sysread was actually calling the ->read implementation
  • Fix Win32 compatibility (compile errors in 0.013 - 0.015)
  • Fix TTY tests on BSD (race condition in append_console_line)

Documentation

README.md
SECURITY.md

Modules

Crypt::SecretBuffer
Prevent accidentally leaking a string of sensitive data
Crypt::SecretBuffer::AsyncResult
Observe results of a write_async operation
Crypt::SecretBuffer::ConsoleState
Disable TTY echo within a block scope
Crypt::SecretBuffer::INI
Parse INI format from a SecretBuffer
Crypt::SecretBuffer::PEM
Parse PEM format from a SecretBuffer
Crypt::SecretBuffer::Span
Reference a span of bytes within a SecretBuffer

Provides

Crypt::SecretBuffer::Exports
in lib/Crypt/SecretBuffer.pm

Other files