oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-9641: Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

From: Robert Rothenberg <rrwo () cpansec org>
Date: Fri, 12 Jun 2026 16:00:53 +0100

========================================================================
CVE-2026-9641                                        CPAN Security Group
========================================================================

        CVE ID:  CVE-2026-9641
  Distribution:  Crypt-PBKDF2
      Versions:  before 0.261630

      MetaCPAN:  https://metacpan.org/dist/Crypt-PBKDF2
      VCS Repo:  https://github.com/arodland/Crypt-PBKDF2


Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default
algorithm and number of iterations

Description
-----------
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default
algorithm and number of iterations.

The default algorithm is HMAC-SHA1, which should only be used for
legacy systems.

These versions default to using 1000 iterations.

Depending on the chosen algorithm, 220,000 to 1,400,000 iterations
should be used.

Problem types
-------------
- CWE-916 Use of Password Hash With Insufficient Computational Effort

Workarounds
-----------
Change the default algorithm to something stronger, such as "HMACSHA2",
and the output_len accordingly (32 for SHA256).

The number of iterations should also be increased (600,000 for SHA256,
for example).


Solutions
---------
Upgrade to version 0.261630 or later.


References
----------
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
Previous By Date Next
Previous By Thread Next

Current thread: