Cyber Resilience

CVE-2026-47373

High

Published: 20 May 2026

Published
20 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0039 31.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-47373 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl's built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Timing side-channel on salted hash comparison (CWE-208) directly enables remote guessing of hash values during authentication checks, mapping to password guessing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-47784Shared CWE-208
CVE-2025-70949Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2025-68621Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2026-47783Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2025-48630Shared CWE-208
CVE-2026-41588Shared CWE-208

Affected Assets

SaltedHash
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

References