CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts

CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts Robert Rothenberg 12 Jun 2026 14:43 UTC

========================================================================
CVE-2026-9638                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-9638
   Distribution:  Crypt-PBKDF2
       Versions:  before 0.261630

       MetaCPAN:  https://metacpan.org/dist/Crypt-PBKDF2
       VCS Repo:  https://github.com/arodland/Crypt-PBKDF2

Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
random values for salts

Description
-----------
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure
random values for salts.

These versions use the built-in rand function, which is predictable and
unsuitable for cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

Solutions
---------
Upgrade to version 0.261630 or later.

References
----------
https://metacpan.org/dist/Crypt-PBKDF2/source/lib/Crypt/PBKDF2.pm#L86-93
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes