CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts

CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts Robert Rothenberg 08 May 2026 17:23 UTC

========================================================================
CVE-2026-6659                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-6659
   Distribution:  Crypt-PasswdMD5
       Versions:  through 1.42

       MetaCPAN:  https://metacpan.org/dist/Crypt-PasswdMD5
       VCS Repo:  https://github.com/ronsavage/Crypt-PasswdMD5

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts

Description
-----------
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts.

The built-in rand function is predictable, and unsuitable for
cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

References
----------
https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47