Description
Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts.

These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Published: 2026-05-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crypt::SaltedHash, a Perl module produced by RRWO, creates salts for hashing using Perl's built‑in rand function. This function is intended for non‑cryptographic uses and produces predictable values, violating the requirement for cryptographic randomness. The result is that salts can be guessed or reproduced, which weakens the uniqueness of salted hashes and can allow attackers to pre‑compute or brute‑force hash values, undermining the confidentiality of protected data. This weakness is identified as CWE‑338: Insecure Random Number Generation.

Affected Systems

The issue impacts all deployments of Crypt::SaltedHash version 0.09 or earlier, including the default Perl distributions that bundle this module. Any application that imports this module to hash passwords, tokens, or other sensitive material is affected.

Risk and Exploitability

The CVSS score of 9.1 reflects a high severity level. The EPSS score is < 1%, indicating that the probability of exploitation is presently low. The vulnerability is not listed in CISA's KEV catalog, but this absence does not diminish its potential impact. Based on the description, it is inferred that the attack vector is local or script‑based within the application that uses the module. If an attacker can manipulate or observe the hashing process, they could predict or reproduce the salt, enabling efficient offline attacks against stored credentials.

Generated by OpenCVE AI on May 21, 2026 at 16:52 UTC.

Remediation

Vendor Solution

Upgrade to version 0.10 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::SaltedHash to version 0.10 or later, which replaces the rand function with a cryptographically secure source
  • Verify that no older versions coexist in the environment; remove or exclude them from the module search path
  • If an immediate upgrade is not possible, patch or replace the module to use a secure random number generator such as Crypt::URandom or a third‑party library

Generated by OpenCVE AI on May 21, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo crypt::saltedhash
Vendors & Products Rrwo
Rrwo crypt::saltedhash

Thu, 21 May 2026 02:30:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Title Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts
Weaknesses CWE-338
References

Subscriptions

Rrwo Crypt::saltedhash
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-21T14:12:28.966Z

Reserved: 2026-05-19T16:17:52.855Z

Link: CVE-2026-47372

cve-icon Vulnrichment

Updated: 2026-05-21T00:37:36.726Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T22:16:37.270

Modified: 2026-05-21T16:04:53.813

Link: CVE-2026-47372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T17:00:14Z

Weaknesses