CWE-332
Insufficient Entropy in PRNG
Description
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-9057 | — | Cri | 0.57 | 9.8 | 0.02 | Mar 27, 2018 | aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned… | |
| CVE-2014-9690 | Hig | 0.49 | 7.5 | 0.01 | Apr 2, 2017 | Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier's solution is not random enough. As a result, brute… | ||
| CVE-2016-9154 | Hig | 0.49 | 7.5 | 0.01 | Dec 23, 2016 | Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U,… | ||
| CVE-2026-3290 | Hig | 0.48 | — | 0.00 | May 14, 2026 | Timing limitations of the HRNG in RS9116 when power save mode is enabled results in predictable values | ||
| CVE-2016-1902 | Hig | 0.42 | 7.5 | 0.02 | Jun 1, 2016 | The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails,… | ||
| CVE-2017-9371 | Low | 0.17 | 2.6 | 0.01 | Nov 14, 2017 | In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical… | ||
| CVE-2016-15005 | — | 0.00 | — | 0.00 | Dec 27, 2022 | CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests. | ||
| CVE-2014-0016 | 0.00 | — | 0.02 | Mar 24, 2014 | stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for… | |||
| CVE-2013-1445 | 0.00 | — | 0.02 | Oct 26, 2013 | The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race… |
- risk 0.57cvss 9.8epss 0.02
aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0 has an inappropriate PRNG algorithm and seeding, which makes it easier for remote attackers to obtain access by leveraging an IAM account that was provisioned…
- risk 0.49cvss 7.5epss 0.01
Huawei home gateways WS318 with software V100R001C01B022 and earlier versions are affected by the PIN offline brute force cracking vulnerability of the WPS protocol because the random number generator (RNG) used in the supplier's solution is not random enough. As a result, brute…
- risk 0.49cvss 7.5epss 0.01
Siemens Desigo PX Web modules PXA40-W0, PXA40-W1, PXA40-W2 for Desigo PX automation controllers PXC00-E.D, PXC50-E.D, PXC100-E.D, PXC200-E.D (All firmware versions < V6.00.046) and Desigo PX Web modules PXA30-W0, PXA30-W1, PXA30-W2 for Desigo PX automation controllers PXC00-U,…
- risk 0.48cvss —epss 0.00
Timing limitations of the HRNG in RS9116 when power save mode is enabled results in predictable values
- risk 0.42cvss 7.5epss 0.02
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails,…
- risk 0.17cvss 2.6epss 0.01
In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 SP1 and earlier, a loss of integrity vulnerability in the default configuration of the QNX SDP could allow an attacker being able to reduce the entropy of the PRNG, making other blended attacks more practical…
- CVE-2016-15005Dec 27, 2022risk 0.00cvss —epss 0.00
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.
- CVE-2014-0016Mar 24, 2014risk 0.00cvss —epss 0.02
stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for…
- CVE-2013-1445Oct 26, 2013risk 0.00cvss —epss 0.02
The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race…