CVE-2026-6659
Deferred Deferred - Pending Action
Predictable Salt Generation in Crypt::PasswdMD5 Perl Module

Publication date: 2026-05-08

Last updated on: 2026-05-26

Assigner: CPANSec

Description
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-26
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6659
EUVD
EUVD-2026-28809
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rsavage crypt_passwdmd5 1.42
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Crypt::PasswdMD5 versions through 1.42 for Perl generate insecure random values for salts.

The vulnerability arises because the built-in rand function used to generate these salts is predictable and unsuitable for cryptographic purposes.

Impact Analysis

Because the salts used in password hashing are generated using a predictable random function, attackers may be able to guess or reproduce these salts.

This predictability weakens the security of hashed passwords, potentially making it easier for attackers to perform attacks such as precomputed hash attacks or rainbow table attacks.

Compliance Impact

The vulnerability in Crypt::PasswdMD5 versions through 1.42 involves the generation of insecure random values for salts due to the use of a predictable built-in rand function, which is unsuitable for cryptography.

This weakness can lead to compromised password hashing security, potentially increasing the risk of unauthorized access to sensitive data.

Such a security flaw may impact compliance with standards and regulations like GDPR and HIPAA, which require adequate protection of personal and sensitive information through strong cryptographic measures.

Failure to use secure cryptographic practices could result in non-compliance due to insufficient protection of data confidentiality.

Detection Guidance

This vulnerability affects Crypt::PasswdMD5 versions up to and including 1.42 for Perl, specifically due to the use of the built-in rand function for salt generation, which is predictable and insecure.

To detect if your system is vulnerable, you should check if the Crypt::PasswdMD5 Perl module is installed and verify its version.

  • Run the command `perl -MCrypt::PasswdMD5 -e 'print $Crypt::PasswdMD5::VERSION'` to determine the installed version.
  • Search your codebase or scripts for usage of Crypt::PasswdMD5, especially calls to functions that generate salts.
  • Review the source code of Crypt::PasswdMD5 (lines 35-47 in lib/Crypt/PasswdMD5.pm) if possible, to confirm the use of the built-in rand function for salt generation.
Mitigation Strategies

Immediate mitigation steps include upgrading or replacing the vulnerable Crypt::PasswdMD5 module to a version that does not use the insecure built-in rand function for salt generation.

If an updated version is not available, consider patching the module to use a cryptographically secure random number generator instead of the built-in rand function.

Additionally, review and update any password hashes generated with the vulnerable module to ensure salts are generated securely.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart