Skip to main content

Crypt::ScryptKDF CVE-2026-8647

MEDIUM
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-05-26 9b29abf9-4ab0-4765-b253-1875cd9b441e
Information Disclosure OpenSSL
4.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 28, 2026 - 18:31 vuln.today
CVSS changed
May 28, 2026 - 16:22 NVD
4.8 (MEDIUM)
CVE Published
May 26, 2026 - 23:16 nvd
MEDIUM 4.8
CVE Published
May 26, 2026 - 23:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available.

The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.

AnalysisAI

Insecure PRNG fallback in Crypt::ScryptKDF for Perl (versions through 0.010) exposes applications to cryptographically weak random byte generation when none of five recognized CSPRNG modules are installed. The random_bytes function silently degrades to Perl's built-in rand(), which is not a cryptographically secure source, potentially weakening scrypt-derived salts or keys in password hashing and key derivation workflows. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-8647 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy