CVE-2026-47372
Deferred Deferred - Pending Action
Insecure Random Salt Generation in Crypt::SaltedHash Perl Module

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: CPANSec

Description
Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-47372
EUVD
EUVD-2026-31198
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crypt saltedhash to 0.09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts.

These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

Impact Analysis

Because the salts are generated using a predictable random function, the security of hashed data can be compromised.

Attackers may be able to predict salt values, making it easier to perform attacks such as precomputed hash attacks or rainbow table attacks.

Compliance Impact

The vulnerability in Crypt::SaltedHash versions through 0.09 involves the generation of insecure random values for salts using a predictable pseudo-random number generator. This weakens the cryptographic strength of the hashing process, potentially making stored data more vulnerable to brute-force attacks.

Such cryptographic weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require appropriate technical measures to protect personal and sensitive data. Using predictable salts may undermine data confidentiality and integrity, thereby increasing the risk of non-compliance with these regulations.

Upgrading to version 0.10 or later, which uses a cryptographically secure random number generator, mitigates this risk and helps maintain compliance by ensuring stronger data protection.

Detection Guidance

This vulnerability can be detected by identifying if the Crypt::SaltedHash Perl module version 0.09 or earlier is installed on your system, as these versions use the insecure built-in rand function for salt generation.

You can check the installed version of the Crypt::SaltedHash module using Perl commands or package management tools.

  • Run the following Perl command to check the installed version of Crypt::SaltedHash:
  • perl -MCrypt::SaltedHash -e 'print $Crypt::SaltedHash::VERSION, "\n";'
  • Alternatively, if installed via a package manager, use commands like 'cpan -l' or 'cpanm --info Crypt::SaltedHash' to verify the version.

If the version is 0.09 or earlier, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the Crypt::SaltedHash Perl module to version 0.10 or later, where the salt generation method has been updated to use a cryptographically secure randomness source.

This update replaces the insecure use of the built-in rand function with Crypt::SysRandom, which generates secure random bytes, significantly improving security.

  • Update the module using CPAN or your package manager, for example:
  • cpan Crypt::SaltedHash
  • or
  • cpanm Crypt::SaltedHash

After upgrading, verify the version to ensure the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47372. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart