CVE-2026-8647

MEDIUM4.8

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available

Published May 26, 2026

Modified 1 weeks ago

Details

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available.

The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.

References

WEB

http://www.openwall.com/lists/oss-security/2026/05/26/8

WEB

https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes

WEB

https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-8647

CVSS Analysis

CVSS v3.1

4.8

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

HighAC:H

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

NoneA:N

4.8/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Weakness Type (CWE)

Other

CWE-338

Ecosystems

Timeline

PublishedMay 26, 2026

ModifiedMay 28, 2026