CVE-2026-8647

Summary

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available.

The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.

Affected Software

VendorProductVersion RangeStatus
MIKCrypt::ScryptKDF0 <= 0.010affected

Weaknesses

  • CWE-338: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator

Workarounds

Install one of the recommended Perl modules, such as Crypt::PRNG.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References