VYPR

CWE-335

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

BaseDraft

Description

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

Hierarchy (View 1000)

CVEs mapped to this weakness (18)

  • CVE-2017-11519CriJul 21, 2017
    risk 0.64cvss 9.8epss 0.03

    passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an attacker to reset the admin password by leveraging a predictable random number generator seed. This is fixed in C9(UN)_V2_170511.

  • CVE-2024-1579HigApr 29, 2024
    risk 0.53cvss 8.1epss 0.01

    Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Secomea GateManager (Webserver modules) allows Session Hijacking.This issue affects GateManager: before 11.2.624071020.

  • CVE-2018-14647HigSep 25, 2018
    risk 0.50cvss 7.5epss 0.11

    Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data…

  • CVE-2025-27580HigApr 24, 2025
    risk 0.49cvss 7.5epss 0.01

    NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a Common Access Card (CAC) to escalate privileges and…

  • CVE-2017-5214HigMay 17, 2017
    risk 0.49cvss 7.5epss 0.01

    The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 for Joomla! allows prediction of a uniqid value based on knowledge of a time value. This makes it easier to read arbitrary uploaded files.

  • CVE-2016-10180HigJan 30, 2017
    risk 0.49cvss 7.5epss 0.04

    An issue was discovered on the D-Link DWR-932B router. WPS PIN generation is based on srand(time(0)) seeding.

  • CVE-2018-1426HigMar 22, 2018
    risk 0.48cvss 7.4epss 0.03

    IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

  • CVE-2026-25835HigApr 1, 2026
    risk 0.43cvss 7.7epss 0.00

    Mbed TLS before 3.6.6 and TF-PSA-Crypto before 1.1.0 misuse seeds in a Pseudo-Random Number Generator (PRNG).

  • CVE-2024-55566MedDec 9, 2024
    risk 0.43cvss 6.6epss 0.00

    ColPack 1.0.10 through 9a7293a has a predictable temporary file (located under /tmp with a name derived from an unseeded RNG). The impact can be overwriting files or making ColPack graphing unavailable to other users.

  • CVE-2026-41564HigApr 23, 2026
    risk 0.42cvss 7.5epss 0.00

    CryptX versions before 0.088 for Perl do not reseed the Crypt::PK PRNG state after forking. The Crypt::PK::RSA, Crypt::PK::DSA, Crypt::PK::DH, Crypt::PK::ECC, Crypt::PK::Ed25519 and Crypt::PK::X25519 modules seed a per-object PRNG state in their constructors and reuse it…

  • CVE-2025-52578MedNov 18, 2025
    risk 0.37cvss 5.7epss 0.00

    Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device communications. This issue affects Command Centre Server: 9.30 prior to…

  • CVE-2026-3503MedMar 19, 2026
    risk 0.27cvss 5.2epss 0.00

    Protection mechanism failure in wolfCrypt post-quantum implementations (ML-KEM and ML-DSA) in wolfSSL on ARM Cortex-M microcontrollers allows a physical attacker to compromise key material and/or cryptographic outcomes via induced transient faults that corrupt or redirect…

  • CVE-2018-12520HigJul 5, 2018
    risk 0.04cvss 8.1epss 0.11

    An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG involved in the generation of session IDs is not seeded at program startup. This results in deterministic session IDs being allocated for active user sessions. An attacker with foreknowledge of the operating…

  • CVE-2025-24783Jan 27, 2025
    risk 0.00cvss epss 0.01

    ** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. This issue affects Apache Cocoon: all versions. When a continuation is created, it gets a random identifier. Because the random number generator…

  • CVE-2022-39218Sep 20, 2022
    risk 0.00cvss epss 0.01

    The JS Compute Runtime for Fastly's Compute@Edge platform provides the environment JavaScript is executed in when using the Compute@Edge JavaScript SDK. In versions prior to 0.5.3, the `Math.random` and `crypto.getRandomValues` methods fail to use sufficiently random values. The…

  • CVE-2019-25061May 18, 2022
    risk 0.00cvss epss 0.02

    The random_password_generator (aka RandomPasswordGenerator) gem through 1.0.0 for Ruby uses Kernel#rand to generate passwords, which, due to its cyclic nature, can facilitate password prediction.

  • CVE-2021-41117Oct 11, 2021
    risk 0.00cvss epss 0.03

    keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys…

  • CVE-2020-7010Jun 3, 2020
    risk 0.00cvss epss 0.01

    Elastic Cloud on Kubernetes (ECK) versions prior to 1.1.0 generate passwords using a weak random number generator. If an attacker is able to determine when the current Elastic Stack cluster was deployed they may be able to more easily brute force the Elasticsearch credentials…