CVE-2026-9641 ARODLAND CVE debrief

Who should care

Developers and administrators using Crypt::PBKDF2 for password storage in Perl applications should be aware of this vulnerability. The default configuration of affected versions may not provide adequate security for password storage.

Technical summary

The vulnerability is characterized by the following: A CVSS score of 5.3, indicating a medium severity. The vulnerability affects Crypt::PBKDF2 versions before 0.261630. The default algorithm used is HMAC-SHA1, which is recommended only for legacy systems. The default number of iterations is 1000, which is lower than recommended. Recommended iterations range from 220,000 to 1,400,000 depending on the algorithm.

Defensive priority

Medium

Recommended defensive actions

• Upgrade to Crypt::PBKDF2 version 0.261630 or later.
• Configure a stronger algorithm (e.g., HMAC-SHA256) if possible.
• Increase the number of iterations to at least 220,000, or ideally 1,400,000 if the algorithm supports it.
• Refer to [ref-4](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2) for password storage best practices.

Evidence notes

The CVE record [cve-org] provides official details about the vulnerability. The National Vulnerability Database (NVD) [nvd] offers additional information and analysis. For more context on password storage best practices, refer to the OWASP Password Storage Cheat Sheet [ref-4].

Official resources