CVE-2026-11702: Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes

[Robert Rothenberg <rrwo () cpansec org>]

========================================================================
CVE-2026-11702                                       CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-11702
  Distribution:  Bytes-Random-Secure-Tiny
      Versions:  through 1.011

      MetaCPAN: https://metacpan.org/dist/Bytes-Random-Secure-Tiny
      VCS Repo: https://github.com/daoswald/Bytes-Random-Secure-Tiny


Bytes::Random::Secure::Tiny versions through 1.011 for Perl share
internal state across forked processes

Description
-----------
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share
internal state across forked processes.

When an object is initialised before forking, then the internal state
for the PRNG is shared across processes and identical random streams
will be produced.

Secrets generated in multiprocess applications are predictable across
processes.

Problem types
-------------
- CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator
  (PRNG)

Workarounds
-----------
Apply the patch, if possible.

Otherwise, ensure that the object is only instantiated in a child
process after forking.

Alternatively, use a different module such as Crypt::PRNG,
Crypt::SysRandom or Crypt::URandom.


References
----------
https://github.com/daoswald/Bytes-Random-Secure-Tiny/issues/6
https://github.com/daoswald/Bytes-Random-Secure-Tiny/pull/7
https://security.metacpan.org/patches/B/Bytes-Random-Secure-Tiny/1.011/CVE-2026-11702-r1.patch
https://www.cve.org/CVERecord?id=CVE-2026-41564

Timeline
--------
- 2026-06-24: Issue publicly reported on GitHub