CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks

CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks Robert Rothenberg 20 May 2026 20:27 UTC

========================================================================
CVE-2026-47373                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-47373
   Distribution:  Crypt-SaltedHash
       Versions:  through 0.09

       MetaCPAN:  https://metacpan.org/dist/Crypt-SaltedHash
       VCS Repo:  https://github.com/robrwo/perl-Crypt-SaltedHash

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks

Description
-----------
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks.

These versions use Perl's built-in eq comparison. Discrepencies in
timing could be used to guess the underlying hash.

Problem types
-------------
- CWE-208 Observable Timing Discrepancy

Solutions
---------
Upgrade to version 0.10 or later.

References
----------
https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch