Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations
CVE-2026-9641

5.3MEDIUM

Key Information:

Vendor

Arodland

Status
Crypt::pbkdf2
Vendor
CVE Published:
12 June 2026

What is CVE-2026-9641?

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations.

The default algorithm is HMAC-SHA1, which should only be used for legacy systems.

These versions default to using 1000 iterations.

Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

Affected Version(s)

Crypt::PBKDF2 0 < 0.261630

References

https://cheatsheetseries.owasp.org/cheatsheets/Password_S...
technical-description
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.2616...
release-notes

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.