Alpine: multiple perl-cryptx packages: security update to 0.088-r0

high Tenable Cloud Security Plugin ID 440934

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The
Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519
modules seed a per-object PRNG state in their constructors and reuse it without fork detection. A
Crypt::PK::* object created before `fork()` shares byte-identical PRNG state with every child process, and
any randomized operation they perform can produce identical output, including key generation. Two ECDSA or
DSA signatures from different processes are enough to recover the signing private key through nonce-reuse
key recovery. This affects preforking services such as the Starman web server, where a Crypt::PK::* object
loaded at startup is inherited by every worker process. (CVE-2026-41564)

Solution

Update the perl-cryptx library and its related packages to version 0.088-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-41564

Plugin Details

Severity: High

ID: 440934

Version: Revision 1.6

Type: Local

Published: 4/28/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.71

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2026-41564

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 4/23/2026

Reference Information

CVE: CVE-2026-41564