CWE•Base•Draft•20 recent CVEs
CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
[object Object]
Common consequences
- Access Control→Bypass Protection MechanismIf a PRNG is used for authentication and authorization, such as a session ID or a seed for generating a cryptographic key, then an attacker may be able to easily guess the ID or cryptographic key and gain access to restricted functionality.
Potential mitigations
- ImplementationUse functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-464937.52026-06-05CVE-2026-113472026-06-05CVE-2026-418587.52026-06-04CVE-2026-86474.82026-05-26CVE-2026-473729.12026-05-20CVE-2026-421552026-05-15CVE-2026-85036.52026-05-15CVE-2026-61465.32026-05-11CVE-2026-50846.52026-05-11CVE-2026-66597.52026-05-08CVE-2026-415058.72026-05-07CVE-2026-50805.92026-04-30CVE-2026-405145.92026-04-27CVE-2026-415647.52026-04-23CVE-2026-50887.52026-04-15CVE-2026-50859.12026-04-13CVE-2026-50835.32026-04-08CVE-2026-50825.32026-04-08CVE-2026-257268.12026-04-03CVE-2026-348716.72026-04-01