External risk intelligence

Crypt::SaltedHash could allow external attacker to compromise user passwords.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-47372

Crypt::SaltedHash contains a flaw that allows an external attacker to predict the security codes protecting stored passwords. By cracking these passwords, attackers can gain unauthorized account access, potentially exposing sensitive customer data or compromising administrative systems.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-47372

The vulnerability resides in a software library integrated into applications for password hashing. As a code-level dependency, it is not a standalone internet-facing service, network gateway, or edge device. It is not inherently public-facing, and its reachability depends entirely on the specific application implementation, making direct internet exposure via the library itself very unlikely.

Horizon Alert

Summary of the vulnerability and why it matters

An issue in older versions of Crypt::SaltedHash for Perl allows for the generation of predictable and insecure salts, which are crucial for cryptographic security. This weakness could allow unauthorized parties to compromise systems that rely on these salts for protecting sensitive data.

Weak salt generation is a serious flaw.
Affects systems using vulnerable password hashing.
Exposes protected data to compromise.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by leveraging the predictable salt generation in older versions of `Crypt::SaltedHash` to crack hashed passwords. If an application uses this library for storing user credentials, an attacker could obtain or guess the predictable salts and then efficiently brute-force or pre-compute hashes to recover plaintext passwords, ultimately leading to account takeovers.

Targets password hashing functions.
Requires access to hashed passwords.
Predictable salt aids brute-force attacks.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Crypt::SaltedHash for Perl involves predictable random value generation for salts, making it unsuitable for cryptographic purposes. Attackers may find this type of vulnerability less attractive for widespread, automated exploitation compared to direct remote code execution flaws, as its impact is tied to how the affected library is implemented and used within applications. The current threat picture does not indicate widespread weaponization, and evidence is limited.

Insecure randomness in library.
Impact dependent on application use.
No KEV listing.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching or upgrading Crypt::SaltedHash to version 0.10 to address the predictable salt generation vulnerability. If immediate patching is not feasible, implement compensating controls to monitor for the use of insecurely generated salts and scrutinize authentication logs for suspicious activity.

Upgrade to Crypt::SaltedHash 0.10.
Monitor for insecure salt usage.
Review authentication logs for anomalies.

Frequently asked questions

What is Crypt::SaltedHash and how is it used for password security?

Crypt::SaltedHash is a Perl software library designed to enhance password security by generating 'salts'. These are random values added to passwords before hashing, making it significantly harder for attackers to crack them, even with access to a database of hashed passwords.

How does CVE-2026-47372 relate to Crypt::SaltedHash's vulnerability?

CVE-2026-47372 highlights a weakness (CWE-338) where older versions of Crypt::SaltedHash generate predictable and insecure salts. This predictability undermines the security of password hashing, potentially aiding attackers.

What is the technical weakness in older Crypt::SaltedHash versions?

Older versions of Crypt::SaltedHash (through 0.09) use Perl's built-in `rand` function for generating salts. This function is predictable and not cryptographically secure, leading to weak and easily guessable salts.

What is the impact of predictable salts generated by Crypt::SaltedHash?

Predictable salts allow attackers to more easily crack hashed passwords. If an application uses this vulnerable library, an attacker could potentially guess or pre-compute hashes to recover plaintext passwords, leading to account compromise.

What is the recommended action for addressing the Crypt::SaltedHash vulnerability?

The primary recommendation is to upgrade Crypt::SaltedHash to version 0.10 or later. If immediate upgrading is not possible, consider implementing monitoring for insecure salt usage and scrutinizing authentication logs for suspicious activities.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.