oss-security - CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <a58262e5-1da1-464c-9ce4-80de1b916bee@cpansec.org>
Date: Wed, 20 May 2026 21:27:19 +0100
From: Robert Rothenberg <rrwo@...nsec.org>
To: cve-announce@...urity.metacpan.org, oss-security@...ts.openwall.com
Subject: CVE-2026-47373: Crypt::SaltedHash versions through 0.09 for Perl is
 susceptible to timing attacks

========================================================================
CVE-2026-47373                                       CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-47373
   Distribution:  Crypt-SaltedHash
       Versions:  through 0.09

       MetaCPAN:  https://metacpan.org/dist/Crypt-SaltedHash
       VCS Repo:  https://github.com/robrwo/perl-Crypt-SaltedHash


Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks

Description
-----------
Crypt::SaltedHash versions through 0.09 for Perl is susceptible to
timing attacks.

These versions use Perl's built-in eq comparison. Discrepencies in
timing could be used to guess the underlying hash.

Problem types
-------------
- CWE-208 Observable Timing Discrepancy

Solutions
---------
Upgrade to version 0.10 or later.


References
----------
https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes
https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.