CVE-2026-6659: Crypt::PasswdMD5 Perl Module Generates Predictable Salt Values, Undermining Password Security

A high-severity vulnerability has been disclosed in Crypt::PasswdMD5, a widely used Perl module for password hashing. Rated 7.5 on the CVSS scale, CVE-2026-6659 reveals that versions through 1.42 generate insecure random values for password salts, fundamentally compromising the cryptographic strength of hashed passwords. The module's reliance on Perl's built-in rand function—a predictable pseudo-random number generator unsuitable for cryptographic purposes—means that salts can be anticipated or reproduced by attackers, weakening password protection across any system deploying the affected code.

The vulnerability strikes at a core assumption in password security: that salt values are sufficiently random to prevent precomputation attacks and ensure unique hash outputs. Crypt::PasswdMD5 implements the MD5-based password hashing scheme commonly used in Unix-like systems, and its widespread deployment in legacy applications and infrastructure makes the flaw particularly concerning. The predictable nature of the rand function means an attacker with knowledge of the implementation could potentially narrow the search space for brute-force attacks or reconstruct salt values under certain conditions, reducing the computational effort required to crack password hashes.

Organizations running Perl applications that depend on Crypt::PasswdMD5 for password storage should immediately audit their codebases and assess exposure. The vulnerability underscores a broader issue in cryptographic implementations: the persistent use of non-cryptographic random number generators in security-sensitive contexts. Developers and system administrators should verify whether their applications use affected versions and monitor for patches or recommended mitigations from the module's maintainers. The disclosure serves as a reminder that even long-standing, widely trusted libraries can harbor fundamental design flaws that only emerge under sustained security scrutiny.