======================================================================== CVE-2026-8647 CPAN Security Group ========================================================================
CVE ID: CVE-2026-8647 Distribution: Crypt-ScryptKDF Versions: through 0.010 MetaCPAN: https://metacpan.org/dist/Crypt-ScryptKDF VCS Repo: https://github.com/DCIT/perl-Crypt-ScryptKDF Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available Description ----------- Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available. Problem types ------------- - CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator Workarounds ----------- Install one of the recommended Perl modules, such as Crypt::PRNG. Solutions --------- Upgrade to version 0.011 or later. References ---------- https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/changes https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/diff/MIK/Crypt-ScryptKDF-0.010#lib/Crypt/ScryptKDF.pm Timeline -------- - 2026-05-13: Issue reported to CPANSec - 2026-05-14: Issue reported to maintainer - 2026-05-16: Version 0.011 with fix released.
