CVE-2026-47372

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts

CVSS 9.1 CRITICALEPSS 0.4%CWE-338

In short

Crypt::SaltedHash for Perl versions up to 0.09 uses a predictable random number generator for creating password salts, making it easy for attackers to crack hashed passwords. This is a critical flaw because salts are supposed to be unpredictable to protect passwords.

Technical detail

The module relies on Perl's built-in rand() function, which is a weak pseudorandom number generator unsuitable for cryptographic operations. An attacker can predict salt values and precompute rainbow tables or perform efficient brute-force attacks against hashed passwords, bypassing the security benefit of salting. Affected versions prior to 0.10 fail to use cryptographically secure random sources such as /dev/urandom or CSPRNG libraries.

Summary generated and translated by AI from the official description.

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

RRWO · Crypt::SaltedHash

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5.patch https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes http://www.openwall.com/lists/oss-security/2026/05/20/22