CVE-2026-47373

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks

CVSS 7.5 HIGHEPSS 0.4%CWE-208

In short

Crypt::SaltedHash versions up to 0.09 use a comparison method that takes slightly different times depending on when characters match, allowing attackers to guess the password hash through timing analysis.

Technical detail

The library employs Perl's standard eq operator for hash comparison, which exhibits variable execution time based on string matching positions. An attacker can measure response times across multiple attempts to infer the correct hash value byte-by-byte, bypassing the salt's protective mechanism.

Summary generated and translated by AI from the official description.

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

RRWO · Crypt::SaltedHash

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes http://www.openwall.com/lists/oss-security/2026/05/20/21