CVE-2026-9638
Description
Crypt::PBKDF2 before 0.261630 used Perl's predictable rand() to generate salts, making password hashes vulnerable to attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crypt::PBKDF2 before 0.261630 used Perl's predictable rand() to generate salts, making password hashes vulnerable to attack.
Vulnerability
Crypt::PBKDF2 versions before 0.261630 [2] generate salts using Perl's built-in rand() function, which produces predictable values unsuitable for cryptographic use [1]. The vulnerability resides in the salt generation logic; any code path that relies on the default salt generation is affected.
Exploitation
An attacker with knowledge of the system's state (e.g., process ID, timing) can predict the output of rand() and thus the generated salt. No authentication or user interaction is required; the attacker only needs to observe the environment to compute likely salts.
Impact
If an attacker can predict the salt, they may precompute rainbow tables or perform offline brute-force attacks against the hashed passwords, potentially recovering plaintext passwords. This compromises the confidentiality of user credentials.
Mitigation
Upgrade to Crypt::PBKDF2 version 0.261630 or later [2], which replaces rand() with Crypt::URandom to generate cryptographically secure random salts. The fix was released on 2026-06-11.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <0.261630
- Range: <0.261630
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.