Insecure Random Number Generation in Crypt::ScryptKDF Library by Perl
CVE-2026-8647

Currently unrated

Key Information:

Vendor: Mik
Status: Crypt::scryptkdf
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-8647?

The Crypt::ScryptKDF library for Perl versions up to 0.010 utilizes a weak random number generator when secure alternatives are unavailable. Specifically, it defaults to the built-in rand() function instead of using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). This poses significant security implications for applications relying on this library for secure password derivation, rendering them vulnerable to potential exploits due to predictability in randomization.

Affected Version(s)

Crypt::ScryptKDF 0 <= 0.010

References

https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/ch...

release-notes

https://metacpan.org/release/MIK/Crypt-ScryptKDF-0.011/di...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 14, 2026

CVE-2026-8647 Data

JSON

Mik

What is CVE-2026-8647?

Affected Version(s)

References

Timeline