Description
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks.

These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.
Published: 2026-05-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crypt::SaltedHash versions through 0.09 depend on Perl’s built‑in eq comparison, which leaks timing information. An attacker who can trigger these comparisons can measure elapsed time to guess the underlying hash value, potentially compromising stored credentials and leading to credential theft or account takeover.

Affected Systems

The vulnerability affects the Crypt::SaltedHash module for Perl (vendor RRWO) in all releases up to and including 0.09. Version 0.10 or later includes the fix. The product is commonly used to store salted passwords in Perl applications.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is <1%, and the vulnerability is not listed in CISA’s KEV catalog. Therefore, the quantified risk is medium‑high severity with a low probability of exploitation. The attack vector is inferred to be possible when an application exposes the equality comparison—either via a public endpoint or internal logic—allowing an attacker to observe timing differences. Because any timing leak can be exploited repeatedly, the potential impact remains significant but the low EPSS score indicates a relatively low likelihood of exploitation under current public exposure assumptions.

Generated by OpenCVE AI on May 21, 2026 at 16:23 UTC.

Remediation

Vendor Solution

Upgrade to version 0.10 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::SaltedHash to version 0.10 or later.
  • If upgrading is not immediately possible, replace any Perl eq comparisons with a constant‑time comparison routine or a library function that ensures equal execution time.
  • Audit the codebase for other timing‑dependent equality checks and apply constant‑time replacements where needed.

Generated by OpenCVE AI on May 21, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Rrwo
Rrwo crypt::saltedhash
Vendors & Products Rrwo
Rrwo crypt::saltedhash

Wed, 20 May 2026 23:30:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.
Title Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks
Weaknesses CWE-208
References

Subscriptions

Rrwo Crypt::saltedhash
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-21T14:10:59.820Z

Reserved: 2026-05-19T16:17:52.856Z

Link: CVE-2026-47373

cve-icon Vulnrichment

Updated: 2026-05-20T22:31:06.839Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T21:16:17.853

Modified: 2026-05-21T16:04:53.813

Link: CVE-2026-47373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T16:30:14Z

Weaknesses