PatchSiren cyber security CVE debrief
CVE-2026-9638 ARODLAND CVE debrief
CVE-2026-9638 is a HIGH-severity vulnerability in Crypt::PBKDF2 versions before 0.261630 for Perl. These versions generate insecure random values for salts due to the use of the built-in rand function, which is predictable and unsuitable for cryptography. The vulnerability has a CVSS score of 7.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-9638).
- Vendor
- ARODLAND
- Product
- Crypt::PBKDF2
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Developers and users of Crypt::PBKDF2 versions before 0.261630 for Perl should be aware of this vulnerability and take steps to upgrade to a secure version.
Technical summary
The vulnerability is caused by the use of the built-in rand function in Crypt::PBKDF2 versions before 0.261630 for Perl, which generates predictable and insecure random values for salts. This is unsuitable for cryptography and can lead to security issues.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Crypt::PBKDF2 version 0.261630 or later.
- Use a secure random number generator for generating salts.
Evidence notes
The vulnerability is confirmed by the official CVE record [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-9638) and the NVD detail [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-9638).
Official resources
-
CVE-2026-9638 CVE record
CVE.org
-
CVE-2026-9638 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
CVE-2026-9638 was published on 2026-06-12T16:16:34.937Z and modified on 2026-06-12T18:16:36.030Z.