CVE-2026-9641
5.3 MEDIUMCrypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations
Published: 2026-06-12 · Last updated: 2026-06-14
Severity and scoring
- CVSS
- 5.3 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-916
Description
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9641
- [Other]https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
- [Other]https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
- [Other]http://www.openwall.com/lists/oss-security/2026/06/12/5
- [Other]http://www.openwall.com/lists/oss-security/2026/06/13/1
- [Other]http://www.openwall.com/lists/oss-security/2026/06/14/1
- [Other]http://www.openwall.com/lists/oss-security/2026/06/14/2
- [Other]http://www.openwall.com/lists/oss-security/2026/06/14/3
Related CVEs
Same CWE
- CVE-2026-25861 — QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise... (5.9 MEDIUM)
- CVE-2026-44611 — Danelec MacGregor Voyage Data Recorder passwords are stored with a hashing method which limits password length and is susceptible to brut... (5.4 MEDIUM)
- CVE-2026-45787 — electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client (9.1 CRITICAL)
- CVE-2026-45027 — WeGIA is a web manager for charitable institutions (5.9 MEDIUM)
- CVE-2021-38400 — An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially craft... (6.9 MEDIUM)