Cyber Resilience

CVE-2026-6659

HighUpdated

Published: 08 May 2026

Published
08 May 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0002 4.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6659 is a high-severity PRNG (CWE-338) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Crypt::PasswdMD5 versions through 1.42 for Perl generates insecure random values for salts. The built-in rand function is predictable, and unsuitable for cryptography.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access
Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.
T1600.001 Reduce Key Space Defense Impairment
Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.
Why these techniques?

Weak/predictable salts from rand() reduce hash entropy, directly easing offline password cracking and reducing effective key space.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5088Shared CWE-338
CVE-2025-40905Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2025-15578Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2026-47372Shared CWE-338
CVE-2024-58041Shared CWE-338
CVE-2024-57854Shared CWE-338
CVE-2025-40926Shared CWE-338

Affected Assets

PasswdMD5
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

References