From 20828ef859e215565ba17a9a24af3a42b0c4360a Mon Sep 17 00:00:00 2001
From: Robert Rothenberg <perl@rhizomnic.com>
Date: Thu, 25 Jun 2026 14:43:11 +0100
Subject: [PATCH] Fix for CVE-2026-11625

---
 lib/Bytes/Random/Secure.pm | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/Bytes/Random/Secure.pm b/lib/Bytes/Random/Secure.pm
index 65fbfe2..5bd3714 100644
--- a/lib/Bytes/Random/Secure.pm
+++ b/lib/Bytes/Random/Secure.pm
@@ -156,6 +156,7 @@ sub _build_attributes {
       $self->{$arg} = exists $args->{$arg} ? $args->{$arg} : $default;
     }
 
+    $self->{_pid} = $$;
     $self->{_RNG} = undef;    # Lazy initialization.
     return $self;
 }
@@ -171,6 +172,8 @@ sub _instantiate_rng {
     my @seeds = $self->_generate_seed( %seed_opts );
     $self->{_RNG} = Math::Random::ISAAC->new(@seeds);
 
+    $self->{_pid} = $$;
+
     return $self->{_RNG};
 }
 
@@ -224,7 +227,7 @@ sub bytes {
   $bytes = defined $bytes ? $bytes : 0; # Default to zero bytes.
   $self->_validate_int( $bytes ); # Throws on violation.
 
-  $self->_instantiate_rng unless defined $self->{_RNG};
+  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
 
   my $str = '';
 
@@ -302,7 +305,7 @@ sub _ranged_randoms {
     $count = defined $count ? $count : 0;
 
     # Lazily seed the RNG so we don't waste available strong entropy.
-    $self->_instantiate_rng unless defined $self->{_RNG};
+    $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
 
     my $divisor = $self->_closest_divisor($range);
 
@@ -354,7 +357,7 @@ sub _closest_divisor {
 
 sub irand {
   my( $self ) = @_;
-  $self->_instantiate_rng unless defined $self->{_RNG};
+  $self->_instantiate_rng unless $$ == $self->{_pid} && defined $self->{_RNG};
   return $self->{_RNG}->irand;
 }