Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-339
Small Seed Space in PRNG
A Pseudo-Random Number Generator (PRNG) uses a relatively small seed space, which makes it more susceptible to brute force attacks.
CVE-2024-10026 (GCVE-0-2024-10026)
Vulnerability from cvelistv5 – Published: 2025-01-30 19:12 – Updated: 2025-02-24 11:50
VLAI
Title
Improved Seeding and Hashing In gVisor
Summary
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-30T20:38:11.885657Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-30T20:38:31.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "gVisor",
"repo": "https://github.com/google/gvisor",
"vendor": "Google",
"versions": [
{
"status": "unaffected",
"version": "Release 20241028.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Amit Klein (Hebrew University of Jerusalem)"
},
{
"lang": "en",
"type": "finder",
"value": "Inon Kaplan (Independent researcher)"
},
{
"lang": "en",
"type": "finder",
"value": "Ron Even (Independent researcher)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A weak hashing algorithm and small sizes of seeds/secrets in Google\u0027s gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.\u003cbr\u003e"
}
],
"value": "A weak hashing algorithm and small sizes of seeds/secrets in Google\u0027s gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances."
}
],
"impacts": [
{
"capecId": "CAPEC-21",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-21 Exploitation of Trusted Identifiers"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-339",
"description": "CWE-339",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-24T11:50:42.192Z",
"orgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"shortName": "Google"
},
"references": [
{
"url": "https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56"
},
{
"url": "https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af"
},
{
"url": "https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2"
},
{
"url": "https://www.ndss-symposium.org/wp-content/uploads/2025-122-paper.pdf"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improved Seeding and Hashing In gVisor",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778",
"assignerShortName": "Google",
"cveId": "CVE-2024-10026",
"datePublished": "2025-01-30T19:12:27.994Z",
"dateReserved": "2024-10-16T08:04:54.647Z",
"dateUpdated": "2025-02-24T11:50:42.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-2815 (GCVE-0-2026-2815)
Vulnerability from cvelistv5 – Published: 2026-06-25 13:27 – Updated: 2026-06-25 14:03
VLAI
Title
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
Summary
Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-339 - Small seed space in PRNG
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://siliconlabs.lightning.force.com/sfc/servl… | vendor-advisorypermissions-required |
| https://github.com/SiliconLabsSoftware/sisdk-release | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Silicon Labs | SiSDK |
Affected:
0 , ≤ 2025.12.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2815",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T14:03:39.954725Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:03:49.129Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SiSDK",
"vendor": "Silicon Labs",
"versions": [
{
"lessThanOrEqual": "2025.12.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys"
}
],
"value": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys"
}
],
"impacts": [
{
"capecId": "CAPEC-112",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-112 Brute Force"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "ADJACENT",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-339",
"description": "CWE-339 Small seed space in PRNG",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:27:45.446Z",
"orgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"shortName": "Silabs"
},
"references": [
{
"tags": [
"vendor-advisory",
"permissions-required"
],
"url": "https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/069Vm00000kDYsfIAG?operationContext=S1"
},
{
"tags": [
"patch"
],
"url": "https://github.com/SiliconLabsSoftware/sisdk-release"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Incorrect use of the PUF key for user key generation in EFR32xG27 results in predictable keys",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "030b2754-1501-44a4-bef8-48be86a33bf4",
"assignerShortName": "Silabs",
"cveId": "CVE-2026-2815",
"datePublished": "2026-06-25T13:27:45.446Z",
"dateReserved": "2026-02-19T16:49:32.148Z",
"dateUpdated": "2026-06-25T14:03:49.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Mitigation ID: MIT-2
Phases: Architecture and Design, Requirements
Strategy: Libraries or Frameworks
Description:
- Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
No CAPEC attack patterns related to this CWE.