CVE-2026-8647: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator in MIK Crypt::ScryptKDF
CVE-2026-8647 is a vulnerability in the Perl module Crypt::ScryptKDF versions through 0. 010 where the module uses a cryptographically weak pseudo-random number generator (PRNG) when no secure CSPRNG modules are available. Specifically, the random_bytes function falls back to the built-in rand() function, which is not suitable for cryptographic purposes. This weakness can undermine the security of cryptographic operations relying on this module.
AI Analysis
Technical Summary
The Crypt::ScryptKDF Perl module versions up to 0.010 use an insecure random number source if none of the recommended cryptographically secure PRNG modules (Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure) are installed. In such cases, the module falls back to the built-in rand() function, which is known to be cryptographically weak. This behavior constitutes a CWE-338 vulnerability, indicating the use of a weak PRNG in cryptographic contexts.
Potential Impact
The use of a weak pseudo-random number generator in cryptographic key derivation functions can reduce the unpredictability of generated keys or salts, potentially weakening the overall security of cryptographic operations that depend on Crypt::ScryptKDF. However, there are no known exploits in the wild at this time. The impact depends on whether the environment lacks any of the secure PRNG modules, causing fallback to the insecure rand() function.
Mitigation Recommendations
No official patch or remediation level has been published yet. Users should ensure that at least one of the supported cryptographically secure PRNG Perl modules (Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure) is installed and available in their environment to prevent fallback to the insecure rand() function. Monitor the vendor or CPAN security advisories for any forthcoming official fixes or updates.
CVE-2026-8647: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator in MIK Crypt::ScryptKDF
Description
CVE-2026-8647 is a vulnerability in the Perl module Crypt::ScryptKDF versions through 0. 010 where the module uses a cryptographically weak pseudo-random number generator (PRNG) when no secure CSPRNG modules are available. Specifically, the random_bytes function falls back to the built-in rand() function, which is not suitable for cryptographic purposes. This weakness can undermine the security of cryptographic operations relying on this module.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Crypt::ScryptKDF Perl module versions up to 0.010 use an insecure random number source if none of the recommended cryptographically secure PRNG modules (Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure) are installed. In such cases, the module falls back to the built-in rand() function, which is known to be cryptographically weak. This behavior constitutes a CWE-338 vulnerability, indicating the use of a weak PRNG in cryptographic contexts.
Potential Impact
The use of a weak pseudo-random number generator in cryptographic key derivation functions can reduce the unpredictability of generated keys or salts, potentially weakening the overall security of cryptographic operations that depend on Crypt::ScryptKDF. However, there are no known exploits in the wild at this time. The impact depends on whether the environment lacks any of the secure PRNG modules, causing fallback to the insecure rand() function.
Mitigation Recommendations
No official patch or remediation level has been published yet. Users should ensure that at least one of the supported cryptographically secure PRNG Perl modules (Crypt::PRNG, Crypt::OpenSSL::Random, Net::SSLeay, Crypt::Random, or Bytes::Random::Secure) is installed and available in their environment to prevent fallback to the insecure rand() function. Monitor the vendor or CPAN security advisories for any forthcoming official fixes or updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-14T22:46:50.791Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a162a4be29bf47b50736dde
Added to database: 5/26/2026, 11:18:35 PM
Last enriched: 5/26/2026, 11:34:50 PM
Last updated: 5/27/2026, 12:25:53 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.