CVE-2026-9638 PUBLISHED

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts

Assigner: CPANSec
Reserved: 26.05.2026 Published: 12.06.2026 Updated: 12.06.2026

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts.

These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

Product Status

Vendor ARODLAND
Product Crypt::PBKDF2
Versions Default: unaffected
  • affected from 0 to 0.261630 (excl.)

Solutions

Upgrade to version 0.261630 or later.

References

Problem Types

  • CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE