CVE-2026-9638
Deferred Deferred - Pending Action

Predictable Salt Generation in Crypt::PBKDF2 Perl Module

Vulnerability report for CVE-2026-9638, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: CPANSec

Description

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-07-03
AI Q&A
2026-06-12
EPSS Evaluated
2026-07-01
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
crypt pbkdf2 to 0.261630 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability affects Crypt::PBKDF2 versions before 0.261630 for Perl, where insecure random values for salts are generated due to the use of the built-in rand function.

To detect if your system is vulnerable, you should check the installed version of the Crypt::PBKDF2 Perl module.

You can use the following command to check the installed version of Crypt::PBKDF2:

  • perl -MCrypt::PBKDF2 -e 'print $Crypt::PBKDF2::VERSION, "\n"'

If the version is earlier than 0.261630, your system is vulnerable.

Since the vulnerability is related to the use of a predictable random number generator, there are no direct network detection commands; detection is primarily version-based.

Executive Summary

This vulnerability affects Crypt::PBKDF2 versions before 0.261630 for Perl. These versions generate insecure random values for salts because they use the built-in rand function, which is predictable and not suitable for cryptographic purposes.

Impact Analysis

The use of predictable salts in cryptographic operations can weaken the security of password hashing. This may allow attackers to more easily perform attacks such as precomputed hash attacks or rainbow table attacks, potentially leading to compromised passwords or other sensitive data.

Compliance Impact

The vulnerability in Crypt::PBKDF2 versions before 0.261630 causes the generation of insecure random values for salts due to the use of a predictable and cryptographically weak pseudo-random number generator. This weakness can lead to compromised password hashing security.

Such cryptographic weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require adequate protection of sensitive data, including secure password storage and cryptographic practices. Failure to use strong cryptographic methods may result in non-compliance due to insufficient data protection measures.

Mitigation Strategies

To mitigate the vulnerability in Crypt::PBKDF2, you should upgrade to version 0.261630 or later.

This update replaces the insecure use of the built-in rand function, which is predictable and unsuitable for cryptographic purposes, with a secure method for generating random salt values.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart