Back

Ubuntu 26.04 LTS Salt Weakness in Crypt-SaltedHash Exposes Systems to Attacks

Severity: Medium (Score: 57.8)

Sources: Linuxsecurity, Ubuntu

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: ubuntu, issue, generated, salts, libcrypt-saltedhash, important, salt

Severity indicators: weakness, issue, rat

Summary

A significant vulnerability has been identified in the Crypt-SaltedHash module across multiple Ubuntu releases, including 26.04 LTS and earlier versions. The flaw arises from the use of a weak pseudo-random number generator, which allows attackers to predict generated salts. This predictability can lead to a compromise of cryptographic protections, making systems vulnerable to unauthorized access. Affected versions include Ubuntu 26.04 LTS, 25.10, 24.04 LTS, 22.04 LTS, 20.04 LTS, 18.04 LTS, and 16.04 LTS. Users are advised to update to the latest package versions to mitigate the risk. The issue was disclosed in Ubuntu Security Notice USN-8418-1. A standard system update will resolve the vulnerability. The flaw emphasizes the importance of using strong cryptographic practices. Key Points: • Crypt-SaltedHash in multiple Ubuntu versions has a salt generation flaw. • Attackers can predict salts, compromising cryptographic security. • Users must update to the latest package versions to mitigate risks.

Detailed Analysis

**Impact** All supported Ubuntu releases from 16.04 LTS through 26.04 LTS and their derivatives are affected, potentially impacting millions of systems globally across various sectors using these distributions. The weakness in salt generation can lead to predictable cryptographic salts, undermining password and data hashing protections. This vulnerability increases the risk of credential compromise and unauthorized data access, affecting operational security and data integrity. **Technical Details** The vulnerability arises from Crypt-SaltedHash using a cryptographically weak pseudo-random number generator to create salts. This weakness allows attackers to predict salts, weakening cryptographic protections during authentication or data verification processes. No specific CVE identifiers or malware/tools have been disclosed. The issue affects the libcrypt-saltedhash-perl module, impacting the cryptographic salt generation stage in the kill chain. **Recommended Response** Apply the updated libcrypt-saltedhash-perl package versions provided for each Ubuntu release immediately, prioritizing systems running Ubuntu 26.04 LTS and 25.10. Use Ubuntu Pro for extended security coverage where available. Monitor for unusual authentication failures or attempts to exploit weak salts, though no specific IOCs have been published. Maintain standard system update practices to ensure all cryptographic components are current.

Source articles (2)

  • USN-8418-1: Crypt — Ubuntu · 2026-06-10
    It was discovered that Crypt-SaltedHash incorrectly generated salts using a cryptographically weak pseudo-random number generator. An attacker could possibly use this issue to predict generated salts,…
  • Ubuntu 26.04 LTS libcrypt-saltedhash Important Salt Weakness USN-8418 — Linuxsecurity · 2026-06-11
    A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS…

Timeline

  • 2026-06-10 — Vulnerability disclosed in USN-8418-1: Ubuntu announced a security issue with Crypt-SaltedHash affecting multiple versions, urging users to update.
  • 2026-06-11 — Linuxsecurity reports on the vulnerability: Linuxsecurity published details on the Crypt-SaltedHash flaw, reiterating the need for updates across affected Ubuntu versions.

Related entities

  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed