| Name | CVE-2026-9641 |
| Description | Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1139867 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| libcrypt-pbkdf2-perl (PTS) | bullseye | 0.161520-1 | vulnerable |
| forky, bookworm, trixie | 0.161520-2 | vulnerable | |
| sid | 0.261630-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| libcrypt-pbkdf2-perl | source | (unstable) | 0.261630-1 | 1139867 |
https://lists.security.metacpan.org/cve-announce/msg/40933040/
Fixed by: https://github.com/arodland/Crypt-PBKDF2/commit/320db2451c42916ce787479de8a0bb1fb37a6700 (0.261630)