These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-9641 is a medium-severity vulnerability (CVSS Score: 5.3) affecting Crypt::PBKDF2 versions before 0.261630 for Perl. The vulnerability stems from the use of a weak default algorithm (HMAC-SHA1) and a low number of iterations (1000). HMAC-SHA1 is considered suitable only for legacy systems. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations are recommended.
CVE-2026-9638 is a HIGH-severity vulnerability in Crypt::PBKDF2 versions before 0.261630 for Perl. These versions generate insecure random values for salts due to the use of the built-in rand function, which is predictable and unsuitable for cryptography. The vulnerability has a CVSS score of 7.5 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-9638).
CVE-2017-20240 is a medium-severity vulnerability in Crypt::PBKDF2 versions before 0.261630 for Perl. The vulnerability allows timing attacks due to the use of Perl's built-in eq comparison, which can lead to discrepancies in timing that could be used to guess the underlying derived-key. The CVSS score for this vulnerability is 5.9, indicating a medium severity level.