CVE-2026-9638
Deferred Deferred - Pending Action
Predictable Salt Generation in Crypt::PBKDF2 Perl Module

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: CPANSec

Description
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-9638
EUVD
EUVD-2026-36456
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
crypt pbkdf2 to 0.261630 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Crypt::PBKDF2 versions before 0.261630 for Perl. These versions generate insecure random values for salts because they use the built-in rand function, which is predictable and not suitable for cryptographic purposes.

Impact Analysis

The use of predictable salts in cryptographic operations can weaken the security of password hashing. This may allow attackers to more easily perform attacks such as precomputed hash attacks or rainbow table attacks, potentially leading to compromised passwords or other sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart