Description
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts.

The built-in rand function is predictable, and unsuitable for cryptography.
Published: 2026-05-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The sensitive routine for generating salts in Crypt::PasswdMD5 uses Perl’s built‑in rand function, which is deterministic and unsuitable for cryptographic applications. The affected module versions therefore produce salts with very low entropy, making the resulting password hashes vulnerable to pre‑computed or rainbow‑table attacks. An attacker who can observe or predict the salt values can significantly reduce the effort required to crack stored passwords, potentially compromising user accounts and data confidentiality. This flaw is classified as CWE‑338: Predictable Random Number Generation.

Affected Systems

The vulnerability affects the RSAVAGE Crypt::PasswdMD5 module for Perl, in all versions up through 1.42 inclusive. Any Perl installation or application that relies on this module to store or verify passwords is at risk.

Risk and Exploitability

Because the flaw resides in a library function that is automatically called whenever a password hash is created, the exploitability is high for any environment that imports or uses Crypt::PasswdMD5. The CVSS score is 7.5, indicating a high severity, and the exploitability of generating predictable salts exposes stored credentials to pre‑computation attacks. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is code execution that imports the vulnerable module and generates password hashes.

Generated by OpenCVE AI on May 8, 2026 at 19:43 UTC.

Remediation

Vendor Solution

Upgrade to version 1.43 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::PasswdMD5 to the latest released version that replaces the rand function with a cryptographically secure random generator or switch to a different password hashing module such as Crypt::Argon2 or Crypt::Bcrypt.
  • If an upgrade is not feasible, manually replace the salt generation code in the module with a secure source of entropy, for example by using Perl’s Crypt::URandom or by generating random bytes from a CSPRNG and encoding them as a salt.
  • Audit all Perl projects that depend on Crypt::PasswdMD5 and confirm that they are using secure salts before storing or validating passwords.

Generated by OpenCVE AI on May 8, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 23:15:00 +0000

Type Values Removed Values Added
References

Tue, 19 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Rsavage
Rsavage crypt::passwdmd5
Vendors & Products Rsavage
Rsavage crypt::passwdmd5

Fri, 08 May 2026 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.
Title Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts
Weaknesses CWE-338
References

Subscriptions

Rsavage Crypt::passwdmd5
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-26T22:52:31.427Z

Reserved: 2026-04-20T08:24:35.812Z

Link: CVE-2026-6659

cve-icon Vulnrichment

Updated: 2026-05-08T19:30:59.696Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T18:16:34.183

Modified: 2026-05-26T23:16:21.090

Link: CVE-2026-6659

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T17:17:01Z

Links: CVE-2026-6659 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:25:01Z

Weaknesses