Description
Crypt::DSA versions before 1.20 for Perl generate seeds using rand.

Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Published: 2026-05-15
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crypt::DSA versions prior to 1.20 generate cryptographic seeds with Perl’s built‑in rand function, which is deterministic and therefore predictable. The predictable seeds expose cryptographic key material to an attacker who can anticipate the chosen prime numbers and thus the resulting digital signature keys. The vulnerability falls under the CWE‑331 category of predictable random number generation and can lead to a loss of confidentiality and integrity of signed messages.

Affected Systems

The affected component is the Perl Crypt::DSA module supplied by TIMLEGGE. Any installation using a version older than 1.20 that relies on this module for generating DSA keys is vulnerable. The official remediation is to upgrade to version 1.20 or later, as stated by the vendor.

Risk and Exploitability

The CVSS score is 7.3, indicating a high severity risk. The EPSS score is < 1%, indicating a very low probability of exploitation. The vulnerability does not appear in the CISA KEV catalog. Because the flaw requires the vulnerable module to be used in key generation, an attacker would need the ability to influence key creation or access the environment where the module runs. While no exploits have been reported, the fundamental weakness would enable an attacker to precompute keys if they can observe or predict the seed sequence, making the risk significant for systems that use this module for critical signing operations.

Generated by OpenCVE AI on May 18, 2026 at 16:22 UTC.

Remediation

Vendor Solution

Upgrade to version 1.20 or later.

OpenCVE Recommended Actions

  • Upgrade Crypt::DSA to version 1.20 or later.
  • If upgrading is not immediately possible, prevent key generation with the vulnerable module in any production environment and use an alternative cryptographic library that employs a secure random number source.
  • If the module must remain in use for legacy reasons, configure the application to provide the seed from an external high‑entropy source such as /dev/urandom, ensuring that the module’s rand function is not used directly for key material.

Generated by OpenCVE AI on May 18, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Timlegge
Timlegge crypt::dsa
Vendors & Products Timlegge
Timlegge crypt::dsa

Sat, 16 May 2026 01:30:00 +0000

Type Values Removed Values Added
References

Fri, 15 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Crypt::DSA versions before 1.20 for Perl generate seeds using rand. Seeds were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.
Title Crypt::DSA versions before 1.20 for Perl generate seeds using rand
Weaknesses CWE-331
References

Subscriptions

Timlegge Crypt::dsa
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-18T15:04:20.918Z

Reserved: 2026-05-15T17:20:11.254Z

Link: CVE-2026-8700

cve-icon Vulnrichment

Updated: 2026-05-16T00:31:19.834Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T22:16:57.020

Modified: 2026-05-18T17:40:45.343

Link: CVE-2026-8700

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T16:30:05Z

Weaknesses