CVE-2026-47373 RRWO CVE debrief

Who should care

Perl developers and operators using Crypt::SaltedHash through 0.09, especially in authentication, password-verification, or any code path that compares secret values or derived hashes in a remotely reachable context.

Technical summary

NVD maps this issue to CWE-208 (Observable Timing Discrepancy). According to the CVE description, Crypt::SaltedHash versions through 0.09 use Perl's built-in eq for comparison. Because eq may not take the same amount of time for all inputs, an attacker who can measure response timing may gain information about the compared hash or secret. The referenced 0.10 release notes and patch indicate a corrective change was made in the project.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Crypt::SaltedHash to version 0.10 or later.
• Review application code that compares hashes, tokens, or other secrets and replace non-constant-time comparisons with a constant-time alternative where appropriate.
• Prioritize remediation for any network-facing authentication or verification flow that uses this module.
• If exposure is suspected, consider reissuing or rotating affected secrets and credentials according to your incident-response and password-management procedures.
• Verify dependency locks and deployment artifacts to ensure the fixed release is actually in use.

Evidence notes

The supplied CVE description states that versions through 0.09 are susceptible because they use Perl's built-in eq comparison. The NVD record lists CWE-208. The reference set includes a patch commit, the Crypt::SaltedHash 0.10 changes page, and an oss-security announcement, all of which support the conclusion that the issue was publicly disclosed and fixed in 0.10. The vendor/product mapping in the supplied metadata is low-confidence and marked for review, so the debrief relies on the module name and cited references rather than that mapping.

Official resources