CVE Catalog

CVE-2026-9641

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.02%

6th percentile — higher than 6% of all known CVEs

Summary

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems.

Risk Assessment

The weak algorithm and low number of iterations may lead to easier password cracking, posing a risk to the organization's data security.

Recommendation

It is recommended to upgrade to a newer version of Crypt::PBKDF2 and increase the number of iterations to at least 220,000 to enhance password security.

Original NVD description (English source)

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS