Crypt::ScryptKDF CVE-2026-8647
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available.
The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.
AnalysisAI
Insecure PRNG fallback in Crypt::ScryptKDF for Perl (versions through 0.010) exposes applications to cryptographically weak random byte generation when none of five recognized CSPRNG modules are installed. The random_bytes function silently degrades to Perl's built-in rand(), which is not a cryptographically secure source, potentially weakening scrypt-derived salts or keys in password hashing and key derivation workflows. No public exploit is identified and EPSS is 0.02% (4th percentile), but the cryptographic impact in minimally-configured Perl environments could be severe, as predictable salts dramatically reduce the cost of offline attacks against derived key material.
Technical ContextAI
Crypt::ScryptKDF implements the memory-hard scrypt key derivation function for Perl. Correct use of scrypt requires a high-entropy random salt to prevent precomputation and rainbow table attacks. The module's random_bytes function implements a priority chain, checking for Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure in order. When none are present, it silently falls back to Perl's rand(), which is a linear congruential or Mersenne Twister PRNG seeded predictably (often from system time or process ID). This is a textbook instance of CWE-338 (Use of Cryptographically Weak Pseudo-Random Number Generator): the generator is statistically adequate for simulation but lacks the unpredictability guarantees required for cryptographic material. No CPE strings were included in the source data; affected scope is inferred from NVD and the MetaCPAN changelog.
Affected ProductsAI
Crypt::ScryptKDF versions 0.010 and earlier for Perl are confirmed affected. The patched release is version 0.011, available on MetaCPAN. The changelog is published at https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes and the specific code change removing the insecure fallback is visible at https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm. No CPE strings were provided in the source data; affected versions are inferred from the NVD entry and MetaCPAN release history.
RemediationAI
Upgrade Crypt::ScryptKDF to version 0.011 or later using CPAN (cpanm Crypt::ScryptKDF) - this release removes the insecure rand() fallback entirely, as confirmed by the diff at https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm. As an interim compensating control on systems that cannot immediately upgrade, install at least one of the five CSPRNG modules - Crypt::PRNG (part of CryptX), Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure - which will prevent the insecure fallback from being reached at runtime. Trade-off: this workaround depends on correct module installation being maintained and does not harden the library itself against future installation drift. Critically, neither the upgrade nor the workaround retroactively secures any salts or derived keys already generated using the weak fallback - any passwords hashed or keys derived on an affected installation should be considered potentially compromised and should be regenerated or invalidated.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packe
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to se
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Rated hig
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today