CVE-2026-6659

HIGH

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts

Title source: cna

Description

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.

References (5)

Core 5

Core References

https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/08/17

Release Notes release-notes

https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.43/changes

Issue Tracking issue-tracking

https://github.com/ronsavage/Crypt-PasswdMD5/pull/3

Patch patch

https://github.com/ronsavage/Crypt-PasswdMD5/commit/a2f821637db0296082297aa4b02254ab08f0dc5e.patch

Scores

CVSS v3 7.5

EPSS 0.0041

EPSS Percentile 32.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-338

Status published

Products (1)

RSAVAGE/Crypt::PasswdMD5 < 1.42

Published May 08, 2026

Tracked Since May 08, 2026