Common Weakness Enumeration

CWE-339

Allowed

Small Seed Space in PRNG

Abstraction: Variant · Status: Draft

A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.

3 vulnerabilities reference this CWE, most recent first.

CVE-2026-2815 (GCVE-0-2026-2815)

Vulnerability from cvelistv5 – Published: 2026-06-25 13:27 – Updated: 2026-06-25 14:03
VLAI
Title
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
Summary
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-339 - Small seed space in PRNG
Assigner
References
Impacted products
Vendor Product Version
Silicon Labs SiSDK Affected: 0 , ≤ 2025.12.1 (semver)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T14:03:39.954725Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T14:03:49.129Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SiSDK",
          "vendor": "Silicon Labs",
          "versions": [
            {
              "lessThanOrEqual": "2025.12.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys"
            }
          ],
          "value": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-112",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-112 Brute Force"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "ADJACENT",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-339",
              "description": "CWE-339 Small seed space in PRNG",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T13:27:45.446Z",
        "orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
        "shortName": "Silabs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory",
            "permissions-required"
          ],
          "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000kDYsfIAG?operationContext=S1"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/SiliconLabsSoftware/sisdk-release"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
    "assignerShortName": "Silabs",
    "cveId": "CVE-2026-2815",
    "datePublished": "2026-06-25T13:27:45.446Z",
    "dateReserved": "2026-02-19T16:49:32.148Z",
    "dateUpdated": "2026-06-25T14:03:49.129Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-10026 (GCVE-0-2024-10026)

Vulnerability from cvelistv5 – Published: 2025-01-30 19:12 – Updated: 2025-02-24 11:50
VLAI
Title
Improved Seeding and Hashing In gVisor
Summary
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
Impacted products
Vendor Product Version
Google gVisor Unaffected: Release 20241028.0
Create a notification for this product.
Credits
Amit Klein (Hebrew University of Jerusalem) Inon Kaplan (Independent researcher) Ron Even (Independent researcher)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-10026",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-30T20:38:11.885657Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-30T20:38:31.158Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "gVisor",
          "repo": "https://github.com/google/gvisor",
          "vendor": "Google",
          "versions": [
            {
              "status": "unaffected",
              "version": "Release 20241028.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Amit Klein (Hebrew University of Jerusalem)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Inon Kaplan (Independent researcher)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ron Even (Independent researcher)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google\u0027s gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.\u003cbr\u003e"
            }
          ],
          "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google\u0027s gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-21",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-21 Exploitation of Trusted Identifiers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-328",
              "description": "CWE-328",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-339",
              "description": "CWE-339",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-24T11:50:42.192Z",
        "orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
        "shortName": "Google"
      },
      "references": [
        {
          "url": "https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56"
        },
        {
          "url": "https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af"
        },
        {
          "url": "https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2"
        },
        {
          "url": "https://www.ndss-symposium.org/wp-content/uploads/2025-122-paper.pdf"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improved Seeding and Hashing In gVisor",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
    "assignerShortName": "Google",
    "cveId": "CVE-2024-10026",
    "datePublished": "2025-01-30T19:12:27.994Z",
    "dateReserved": "2024-10-16T08:04:54.647Z",
    "dateUpdated": "2025-02-24T11:50:42.192Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-F2CJ-J66G-55WJ

Vulnerability from github – Published: 2026-06-25 15:32 – Updated: 2026-06-25 15:32
VLAI
Details

Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-2815"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-339"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-25T14:16:37Z",
    "severity": "HIGH"
  },
  "details": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys",
  "id": "GHSA-f2cj-j66g-55wj",
  "modified": "2026-06-25T15:32:00Z",
  "published": "2026-06-25T15:32:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2815"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SiliconLabsSoftware/sisdk-release"
    },
    {
      "type": "WEB",
      "url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000kDYsfIAG?operationContext=S1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.

Mitigation MIT-2
Architecture and Design Requirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

No CAPEC attack patterns related to this CWE.