oss-security - CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <462a16da-96e7-4f81-b8e7-3ff903b0774f@cpansec.org>
Date: Fri, 8 May 2026 18:23:37 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-6659: Crypt::PasswdMD5 versions through 1.42 for Perl
 generates insecure random values for salts

========================================================================
CVE-2026-6659                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-6659
   Distribution:  Crypt-PasswdMD5
       Versions:  through 1.42

       MetaCPAN:  https://metacpan.org/dist/Crypt-PasswdMD5
       VCS Repo:  https://github.com/ronsavage/Crypt-PasswdMD5


Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts

Description
-----------
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure
random values for salts.

The built-in rand function is predictable, and unsuitable for
cryptography.

Problem types
-------------
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator
   (PRNG)

References
----------
https://metacpan.org/release/RSAVAGE/Crypt-PasswdMD5-1.42/source/lib/Crypt/PasswdMD5.pm#L35-47

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.