CVE-2026-8647 PUBLISHED

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available

Assigner: CPANSec
Reserved: 14.05.2026 Published: 26.05.2026 Updated: 27.05.2026

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available.

The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.

Product Status

Vendor	MIK
Product	Crypt::ScryptKDF
Versions	Default: unaffected affected from 0 to 0.010 (incl.)

Workarounds

Install one of the recommended Perl modules, such as Crypt::PRNG.

Solutions

Upgrade to version 0.011 or later.

References

https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes
https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm

Problem Types

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator CWE