CVE-2026-8647

CVE-2026-8647: Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available

Vendor Mik
Product Crypt::ScryptKDF
Weakness CWE-338
Published May 26, 2026
Last update May 28, 2026

CVSS base score

What the vulnerability does

01Description

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure were available.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 28, 2026 Record updated