Fedora 43 and 44 perl-Catalyst-Plugin Vulnerable to Timing Attacks
Severity: Medium (Score: 57.9)
Sources: Linuxsecurity, metacpan.org
Published: · Updated:
Keywords: versions, perl, timing, fedora, catalyst, plugin, authentication
Summary
Versions of Catalyst::Plugin::Authentication for Perl up to 0.10024 are vulnerable to timing attacks, which could allow attackers to guess passwords or hashes. This vulnerability is documented as CVE-2026-5091, published on May 21, 2026. The issue arises from the use of Perl's built-in eq comparison, leading to discrepancies in timing. Version 0.10026 addresses this vulnerability and was released on May 24, 2026. Users of Fedora 43 and 44 are advised to upgrade to this version to mitigate the risk. The vulnerability affects all systems using the affected versions of the plugin. The update can be installed via the dnf update program. Security professionals should prioritize this update to protect against potential exploitation. Key Points: • Catalyst::Plugin::Authentication versions up to 0.10024 are vulnerable to timing attacks. • CVE-2026-5091 was published on May 21, 2026, detailing the vulnerability. • Version 0.10026 released on May 24, 2026, fixes the timing attack issue.
Detailed Analysis
**Impact** Users of Fedora 43 and Fedora 44 running perl-Catalyst-Plugin-Authentication versions through 0.10024 are affected. The vulnerability allows attackers to perform timing attacks to infer sensitive authentication data such as hashes or passwords. This impacts systems relying on this Perl module for authentication, potentially exposing credentials and compromising access control. No specific sectors or geographic regions are detailed in the sources. **Technical Details** The vulnerability (CVE-2026-5091) arises from the use of Perl's built-in eq comparison, which is susceptible to timing discrepancies exploitable by attackers to disclose information. The attack vector involves timing attacks during authentication processes. The issue is fixed in version 0.10026 of the Catalyst::Plugin::Authentication module. No malware, tools, or additional infrastructure details are provided. **Recommended Response** Apply the updated Catalyst::Plugin::Authentication module version 0.10026 immediately using the Fedora dnf package manager with the appropriate advisory commands (`dnf upgrade --advisory FEDORA-2026-af4f5feae8` for Fedora 43 and `dnf upgrade --advisory FEDORA-2026-26666575ae` for Fedora 44). Monitor authentication logs for unusual timing patterns or repeated failed attempts. No specific detection signatures or IOCs are provided in the reports.
Source articles (3)
- Fedora 44 perl-Catalyst-Plugin-Authentication Vulnerable to CVE-2026 — Linuxsecurity · 2026-06-02
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to gue… - Fedora 43 perl-Catalyst-Plugin — Linuxsecurity · 2026-06-02
Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks since these versions use Perl's built-in eq comparison. Discrepencies in timing could be used to gue… - Catalyst Plugin Authentication — metacpan.org · 2026-06-02
Timeline
- 2026-05-21 — CVE-2026-5091 published: CVE-2026-5091 details a timing attack vulnerability in Catalyst::Plugin::Authentication versions up to 0.10024.
- 2026-05-24 — Version 0.10026 released: Version 0.10026 of Catalyst::Plugin::Authentication was released to fix CVE-2026-5091.
- 2026-06-02 — Vulnerability reported in Fedora 44: Similar vulnerabilities were reported for Fedora 44, reiterating the need for updates to version 0.10026.
CVEs
Related entities
- Data Breach (Attack Type)
- CWE-200 - Exposure of Sensitive Information (Cwe)
- T1110 - Brute Force (Mitre Attack)
- Fedora (Company)