CVE-2026-47372: Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts

CVE-2026-47372: Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts Robert Rothenberg 20 May 2026 22:09 UTC

========================================================================
CVE-2026-47372                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-47372
   Distribution:  Crypt-SaltedHash
       Versions:  through 0.09

       MetaCPAN:  https://metacpan.org/dist/Crypt-SaltedHash
       VCS Repo:  https://github.com/robrwo/perl-Crypt-SaltedHash

Crypt::SaltedHash versions through 0.09 for Perl generate insecure
random values for salts

Description
-----------
Crypt::SaltedHash versions through 0.09 for Perl generate insecure
random values for salts.

These versions use the built-in rand function, which is predictable and
unsuitable for cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Upgrade to version 0.10 or later.

References
----------
https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5.patch