oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts

From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 12 Jun 2026 15:43:21 +0100
========================================================================
CVE-2026-9638                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-9638
  Distribution:  Crypt-PBKDF2
      Versions:  before 0.261630

      MetaCPAN:  https://metacpan.org/dist/Crypt-PBKDF2
      VCS Repo:  https://github.com/arodland/Crypt-PBKDF2


Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
random values for salts

Description
-----------
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
random values for salts.

These versions use the built-in rand function, which is predictable and
unsuitable for cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
  (PRNG)

Solutions
---------
Upgrade to version 0.261630 or later.


References
----------
https://metacpan.org/dist/Crypt-PBKDF2/source/lib/Crypt/PBKDF2.pm#L86-93
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
Previous By Date Next
Previous By Thread Next

Current thread: