What is CVE-2026-8647?

CVE-2026-8647 is a medium-severity vulnerability in Mik Crypt::scryptkdf, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 4.8/10. Published 2026-05-26.

How severe is CVE-2026-8647?

Medium severity. CVSS v3 base score is 4.8 out of 10.

Vulnerability in Mik Crypt::scryptkdf

CVE-2026-8647

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when none of the Perl modules Crypt::PRNG, C…

EPSS: 0.000 (11.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.8 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Mik Crypt::scryptkdf — versions 0

Weakness classification (CWE)

CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

9b29abf9-4ab0-4765-b253-1875cd9b441e (release-notes)
9b29abf9-4ab0-4765-b253-1875cd9b441e
af854a3a-2127-422b-91ae-364da2661108

Frequently asked questions

What is CVE-2026-8647?: CVE-2026-8647 is a medium-severity vulnerability in Mik Crypt::scryptkdf, classified under Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG). CVSS score: 4.8/10. Published 2026-05-26.
How severe is CVE-2026-8647?: Medium severity. CVSS v3 base score is 4.8 out of 10.