2488425 – (CVE-2026-9641) CVE-2026-9641 perl-Crypt-PBKDF2: weak default algorithm and insufficient iterations

Bug 2488425 (CVE-2026-9641) - CVE-2026-9641 perl-Crypt-PBKDF2: weak default algorithm and insufficient iterations

Summary: CVE-2026-9641 perl-Crypt-PBKDF2: weak default algorithm and insufficient iter...

Keywords:
Status:	NEW
Alias:	CVE-2026-9641
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2488896 2488897
Blocks:
TreeView+	depends on / blocked

Reported:	2026-06-12 16:02 UTC by OSIDB Bzimport
Modified:	2026-06-15 13:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-06-12 16:02:27 UTC

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations.

The default algorithm is HMAC-SHA1, which should only be used for legacy systems.

These versions default to using 1000 iterations.

Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

Note You need to log in before you can comment on or make changes to this bug.