CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available

CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available Robert Rothenberg 26 May 2026 22:55 UTC

========================================================================
CVE-2026-8647                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-8647
   Distribution:  Crypt-ScryptKDF
       Versions:  through 0.010

       MetaCPAN:  https://metacpan.org/dist/Crypt-ScryptKDF
       VCS Repo:  https://github.com/DCIT/perl-Crypt-ScryptKDF

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random
number source when no CSPRNG module is available

Description
-----------
Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random
number source when no CSPRNG module is available.

The random_bytes function fell back to using the built-in rand()
function when none of the Perl modules Crypt::PRNG,
Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or
Bytes::Random::Secure were available.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Workarounds
-----------
Install one of the recommended Perl modules, such as Crypt::PRNG.

Solutions
---------
Upgrade to version 0.011 or later.

References
----------
https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes
https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm

Timeline
--------
- 2026-05-13: Issue reported to CPANSec
- 2026-05-14: Issue reported to maintainer
- 2026-05-16: Version 0.011 with fix released.