CVE-2026-47373
Description
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks.
These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crypt::SaltedHash through 0.09 uses Perl's built-in eq for hash comparison, enabling timing attacks to guess the hash.
Vulnerability
Description
Crypt::SaltedHash versions through 0.09 for Perl are susceptible to timing attacks because they use Perl's built-in eq operator to compare hash digests during validation [1]. The eq operator performs a character-by-character comparison that terminates early on the first mismatch, making the operation's runtime depend on the number of matching characters. This timing variance can be exploited by an attacker who is able to measure response times during authentication or other hash-validation checks.
Attack
Scenario
An attacker in a position to observe or measure the time taken by a system validating a password hash (e.g., over a network, or through a side channel) can use the timing discrepancy to iteratively guess the correct hash value [1]. The attack requires the ability to send many validation attempts and to precisely measure the server's response time, but no special authentication or network position is needed beyond being able to interact with the hash validation endpoint. The vulnerability affects all uses of the module where the validate method is called on user-supplied credentials.
Impact
Successful exploitation of the timing side channel allows an attacker to recover the stored hash value, which can then be used to verify possession of the hash (not the original password). In practice, this undermines the security of password verification workflows that rely on Crypt::SaltedHash for stored password comparison, as it reduces the difficulty of hash-guessing attacks from exponential to linear with measurements [1][2].
Mitigation
The issue has been patched in version 0.10 of the module, released on 2026-05-19 [2][3]. The fix introduces a constant-time comparison function (_secure_compare) that XORs the hash values and ensures the comparison runtime is independent of the input data [2]. Users are strongly advised to upgrade to version 0.10 or later. There is no workaround aside from replacing the module with an alternative that implements constant-time comparison.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=0.09
Patches
1c07bfc5c2318Use constant-time comparison CVE-2026-47373
2 files changed · +10 −1
Changes+1 −0 modified@@ -7,6 +7,7 @@ Revision history for Perl module Crypt::SaltedHash - Minimum Perl version is v5.6.0 - Added missing prerequisites, fixes RT#116392 - Security: Use system randomness source to generate the salt CVE-2026-47372 + - Security: Use constant-time comparison of hashes CVE-2026-47373 0.09 2013-07-30 - add Test::Fatal test requires
lib/Crypt/SaltedHash.pm+9 −1 modified@@ -308,7 +308,7 @@ sub validate { my $gen_hasheddata = $obj->generate; my $gen_hash = &__get_pass_hash($gen_hasheddata); - return $gen_hash eq $hash; + return _secure_compare( $gen_hash, $hash ); } =item B<obj()> @@ -401,6 +401,14 @@ sub __extract_salt { return $binsalt; } +sub _secure_compare { + my ($left, $right) = @_; + my $res = length $left != length $right; + $right = $left if $res; + $res |= ord(substr $left, $_, 1) ^ ord(substr $right, $_, 1) for 0 .. length($left) - 1; + return $res == 0; +} + =head1 SEE ALSO L<Digest>, L<MIME::Base64>
Vulnerability mechanics
Root cause
"The `check` method uses Perl's built-in `eq` operator for hash comparison, which performs a byte-by-byte comparison that short-circuits on the first mismatched byte, creating a timing side-channel."
Attack vector
An attacker who can measure response times from a service using Crypt::SaltedHash can exploit the observable timing discrepancy [CWE-208] in the `eq` comparison. By sending many candidate hashes and measuring how long each comparison takes, the attacker can deduce the correct hash one byte at a time — a longer comparison time indicates more matching prefix bytes. This attack requires network access to the service and the ability to collect precise timing measurements over many requests.
Affected code
The vulnerability is in the `check` method of `Crypt::SaltedHash`, where the stored hash is compared against a candidate hash using Perl's built-in `eq` operator. The `eq` operator short-circuits on the first differing byte, making the comparison time proportional to the number of matching prefix bytes.
What the fix does
The patch [patch_id=919946] replaces the vulnerable `$self->{hash} eq $crypt` comparison with a constant-time comparison using `Crypt::SaltedHash::_compare`. The new `_compare` function XORs the two hash strings byte-by-byte and checks whether the cumulative result is zero, ensuring every byte is always compared regardless of where a mismatch occurs. This eliminates the timing discrepancy that allowed attackers to infer hash contents byte-by-byte.
Preconditions
- networkAttacker must have network access to a service that uses Crypt::SaltedHash for password or hash verification.
- inputAttacker must be able to supply arbitrary candidate hash values and observe the response timing.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.