CVE-2026-47372
Published: 20 May 2026
Summary
CVE-2026-47372 is a critical-severity PRNG (CWE-338) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.
Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.
NVD Description
Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
- OWASP Top 10 Web 2025
Affected Products
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31198
Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)
EU Cyber Resilience Act — coordinated disclosure
Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.