Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-HHGH-XJ97-6F9R

Vulnerability from github – Published: 2025-09-24 12:30 – Updated: 2026-03-04 15:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: l2cap: Check encryption key size on incoming connection

This is required for passing GAP/SEC/SEM/BI-04-C PTS test case: Security Mode 4 Level 4, Responder - Invalid Encryption Key Size - 128 bit

This tests the security key with size from 1 to 15 bytes while the Security Mode 4 Level 4 requests 16 bytes key size.

Currently PTS fails with the following logs: - expected:Connection Response: Code: [3 (0x03)] Code Identifier: (lt)WildCard: Exists(gt) Length: [8 (0x0008)] Destination CID: (lt)WildCard: Exists(gt) Source CID: [64 (0x0040)] Result: [3 (0x0003)] Connection refused - Security block Status: (lt)WildCard: Exists(gt), but received:Connection Response: Code: [3 (0x03)] Code Identifier: [1 (0x01)] Length: [8 (0x0008)] Destination CID: [64 (0x0040)] Source CID: [64 (0x0040)] Result: [0 (0x0000)] Connection Successful Status: [0 (0x0000)] No further information available

And HCI logs: < HCI Command: Read Encrypti.. (0x05|0x0008) plen 2 Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)

HCI Event: Command Complete (0x0e) plen 7 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.) Key size: 7 ACL Data RX: Handle 14 flags 0x02 dlen 12 L2CAP: Connection Request (0x02) ident 1 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 14 flags 0x00 dlen 16 L2CAP: Connection Response (0x03) ident 1 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-24T11:15:32Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: l2cap: Check encryption key size on incoming connection\n\nThis is required for passing GAP/SEC/SEM/BI-04-C PTS test case:\n  Security Mode 4 Level 4, Responder - Invalid Encryption Key Size\n  - 128 bit\n\nThis tests the security key with size from 1 to 15 bytes while the\nSecurity Mode 4 Level 4 requests 16 bytes key size.\n\nCurrently PTS fails with the following logs:\n- expected:Connection Response:\n    Code: [3 (0x03)] Code\n    Identifier: (lt)WildCard: Exists(gt)\n    Length: [8 (0x0008)]\n    Destination CID: (lt)WildCard: Exists(gt)\n    Source CID: [64 (0x0040)]\n    Result: [3 (0x0003)] Connection refused - Security block\n    Status: (lt)WildCard: Exists(gt),\nbut received:Connection Response:\n    Code: [3 (0x03)] Code\n    Identifier: [1 (0x01)]\n    Length: [8 (0x0008)]\n    Destination CID: [64 (0x0040)]\n    Source CID: [64 (0x0040)]\n    Result: [0 (0x0000)] Connection Successful\n    Status: [0 (0x0000)] No further information available\n\nAnd HCI logs:\n\u003c HCI Command: Read Encrypti.. (0x05|0x0008) plen 2\n        Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n\u003e HCI Event: Command Complete (0x0e) plen 7\n      Read Encryption Key Size (0x05|0x0008) ncmd 1\n        Status: Success (0x00)\n        Handle: 14 Address: 00:1B:DC:F2:24:10 (Vencer Co., Ltd.)\n        Key size: 7\n\u003e ACL Data RX: Handle 14 flags 0x02 dlen 12\n      L2CAP: Connection Request (0x02) ident 1 len 4\n        PSM: 4097 (0x1001)\n        Source CID: 64\n\u003c ACL Data TX: Handle 14 flags 0x00 dlen 16\n      L2CAP: Connection Response (0x03) ident 1 len 8\n        Destination CID: 64\n        Source CID: 64\n        Result: Connection successful (0x0000)\n        Status: No further information available (0x0000)",
  "id": "GHSA-hhgh-xj97-6f9r",
  "modified": "2026-03-04T15:30:32Z",
  "published": "2025-09-24T12:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39889"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24b2cdfc16e9bd6ab3d03b8e01c590755bd3141f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/522e9ed157e3c21b4dd623c79967f72c21e45b78"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9e3114958d87ea88383cbbf38c89e04b8ea1bce5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6d527bbd3d3896375079f5dbc8b7f96734a3ba5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d49798ecd26e0ee7995a7fc1e90ca5cd9b4402d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d4ca2fd218caafbf50e3343ba1260c6a23b5676a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed503d340a501e414114ddc614a3aae4f6e9eae2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HHPV-56P8-WVW8

Vulnerability from github – Published: 2022-05-17 00:16 – Updated: 2022-05-17 00:16
VLAI
Details

Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001C30SPC500,V100R001C30SPC600,V100R001C30SPC700,V100R001C30SPC800 have a weak algorithm vulnerability. Attackers may exploit the weak algorithm vulnerability to crack the cipher text and cause confidential information leaks on the transmission links.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-8174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-11-22T19:29:00Z",
    "severity": "HIGH"
  },
  "details": "Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001C30SPC500,V100R001C30SPC600,V100R001C30SPC700,V100R001C30SPC800 have a weak algorithm vulnerability. Attackers may exploit the weak algorithm vulnerability to crack the cipher text and cause confidential information leaks on the transmission links.",
  "id": "GHSA-hhpv-56p8-wvw8",
  "modified": "2022-05-17T00:16:13Z",
  "published": "2022-05-17T00:16:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8174"
    },
    {
      "type": "WEB",
      "url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170802-01-usg-en"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HJ85-PMJM-XQX2

Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17
VLAI
Details

IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207980.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-12T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "IBM Data Risk Manager (iDNA) 2.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207980.",
  "id": "GHSA-hj85-pmjm-xqx2",
  "modified": "2022-05-24T19:17:16Z",
  "published": "2022-05-24T19:17:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38862"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/207980"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6497499"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-HJVF-VWPV-9G29

Vulnerability from github – Published: 2023-11-16 09:30 – Updated: 2023-12-01 21:30
VLAI
Details

Inadequate encryption strength vulnerability in multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION allows a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. As for the affected products/versions, see the information provided by the vendor under [References] section.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-43757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-16T07:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Inadequate encryption strength vulnerability in multiple routers provided by ELECOM CO.,LTD. and LOGITEC CORPORATION allows a network-adjacent unauthenticated attacker to guess the encryption key used for wireless LAN communication and intercept the communication. As for the affected products/versions, see the information provided by the vendor under [References] section.",
  "id": "GHSA-hjvf-vwpv-9g29",
  "modified": "2023-12-01T21:30:26Z",
  "published": "2023-11-16T09:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43757"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU94119876"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20210706-01"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20230810-01"
    },
    {
      "type": "WEB",
      "url": "https://www.elecom.co.jp/news/security/20231114-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HM9H-QVFM-GGW4

Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2023-01-30 21:30
VLAI
Details

IBM Security Access Manager 9.0.1 through 9.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158512.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-4151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-06-25T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Security Access Manager 9.0.1 through 9.0.6 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158512.",
  "id": "GHSA-hm9h-qvfm-ggw4",
  "modified": "2023-01-30T21:30:40Z",
  "published": "2022-05-24T16:48:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4151"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158512"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10888379"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP45-3W87-63C3

Vulnerability from github – Published: 2025-07-31 21:31 – Updated: 2025-07-31 21:31
VLAI
Details

jwt v5.4.3 was discovered to contain weak encryption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-45770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-31T20:15:33Z",
    "severity": "HIGH"
  },
  "details": "jwt v5.4.3 was discovered to contain weak encryption.",
  "id": "GHSA-hp45-3w87-63c3",
  "modified": "2025-07-31T21:31:53Z",
  "published": "2025-07-31T21:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-45770"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/ZupeiNie/cd88c827eef11a1618f8baacccd240fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lcobucci/jwt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HP9J-R2QW-J3VW

Vulnerability from github – Published: 2022-12-19 12:30 – Updated: 2022-12-23 18:30
VLAI
Details

In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-19T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent.",
  "id": "GHSA-hp9j-r2qw-j3vw",
  "modified": "2022-12-23T18:30:40Z",
  "published": "2022-12-19T12:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38659"
    },
    {
      "type": "WEB",
      "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0102049"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HPFR-FH2J-J4M2

Vulnerability from github – Published: 2023-08-28 12:30 – Updated: 2024-04-04 07:14
VLAI
Details

An issue was discovered in Stormshield SSL VPN Client before 3.2.0. If multiple address books are used, an attacker may be able to access the other encrypted address book.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46783"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T12:15:08Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Stormshield SSL VPN Client before 3.2.0. If multiple address books are used, an attacker may be able to access the other encrypted address book.",
  "id": "GHSA-hpfr-fh2j-j4m2",
  "modified": "2024-04-04T07:14:03Z",
  "published": "2023-08-28T12:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46783"
    },
    {
      "type": "WEB",
      "url": "https://advisories.stormshield.eu"
    },
    {
      "type": "WEB",
      "url": "https://advisories.stormshield.eu/2022-029"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQHM-W88M-83J6

Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20
VLAI
Details

IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-27T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Rational Focal Point 6.4.0, 6.4.1, 6.5.1, 6.5.2, and 6.6.0 use a weak algorithm to hash passwords, which makes it easier for context-dependent attackers to obtain cleartext values via a brute-force attack. IBM X-Force ID: 90704.",
  "id": "GHSA-hqhm-w88m-83j6",
  "modified": "2022-05-14T03:20:02Z",
  "published": "2022-05-14T03:20:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0841"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/90704"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/blogs/psirt/ibm-security-bulletin-weak-password-hash-vulnerability-in-rational-focalpoint-cve-2014-0841"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-HQHQ-PXHF-F4JJ

Vulnerability from github – Published: 2022-05-17 02:50 – Updated: 2022-05-17 02:50
VLAI
Details

OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T03:59:00Z",
    "severity": "HIGH"
  },
  "details": "OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.",
  "id": "GHSA-hqhq-pxhf-f4jj",
  "modified": "2022-05-17T02:50:12Z",
  "published": "2022-05-17T02:50:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5056"
    },
    {
      "type": "WEB",
      "url": "https://community.rapid7.com/community/infosec/blog/2016/07/26/r7-2016-10-multiple-osram-sylvania-osram-lightify-vulnerabilities-cve-2016-5051-through-5059"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.