CVE-2025-2814

NameCVE-2025-2814
DescriptionCrypt::CBC versions between 1.21 and 3.04 for Perl may use the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions. This issue affects operating systems where "/dev/urandom'" is unavailable.  In that case, Crypt::CBC will fallback to use the insecure rand() function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcrypt-cbc-perl (PTS)bullseye2.33-2vulnerable
sid, trixie, bookworm3.04-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcrypt-cbc-perlsource(unstable)(unfixed)unimportant

Notes

rand() fallback only where /dev/urandom is not available
https://lists.security.metacpan.org/cve-announce/msg/28699380/
Search for package or bug name: Reporting problems