CVE-2026-9641
Published: Fri, 12 Jun 2026 16:16
Summary
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versio
Details
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.
Are YOU affected by CVE-2026-9641?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-9641 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
- https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
- http://www.openwall.com/lists/oss-security/2026/06/12/5
- http://www.openwall.com/lists/oss-security/2026/06/13/1
- http://www.openwall.com/lists/oss-security/2026/06/14/1
- http://www.openwall.com/lists/oss-security/2026/06/14/2
- http://www.openwall.com/lists/oss-security/2026/06/14/3
StackPatch runs this match against YOUR installed packages every hour
Free (3 servers) / from $9/mo (14-day free trial) / Solo $9/mo / Pro $29/mo / Team $79/mo. Indie pricing.