Skip to main content

Raspberry Pi EEPROM CVE-2026-13199

| EUVDEUVD-2026-42021 MEDIUM
Insufficient Entropy (CWE-331)
2026-07-07 Nozomi GHSA-fghc-hpwq-xm37
5.1
CVSS 4.0 · Vendor: Nozomi
Share

Severity by source

Vendor (Nozomi) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.0 MEDIUM

Local vector reflects physical/shell access requirement; no privileges needed; only limited kernel-address confidentiality impact with no integrity or availability effect.

3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Nozomi).

CVSS VectorVendor: Nozomi

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 09:17 vuln.today

DescriptionCVE.org

EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilities. Additionally, the low-quality RNG seed may affect the quality of random numbers or delay booting while sufficient entropy is accumulated from other sources.

AnalysisAI

Predictable KASLR offsets and RNG seeds in Raspberry Pi 5 and Compute Module 5 EEPROM firmware undermine kernel address space layout randomization across all affected devices and reboots. Because the entropy source is deterministic, any attacker who can identify the firmware version can predict kernel memory addresses, reducing KASLR to a known-offset bypass. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify affected firmware version
Delivery
Compute deterministic KASLR slide
Exploit
Obtain local access to target device
Execution
Leverage predictable kernel addresses in secondary exploit
Impact
Escalate to kernel privilege

Vulnerability AssessmentAI

Exploitation The device must be a Raspberry Pi 5 or Compute Module 5 running an affected EEPROM firmware version - no special configuration or non-default feature is required; the insufficient entropy is unconditional in the vulnerable firmware. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 with a local attack vector (AV:L) correctly reflects that this is a security-weakening vulnerability rather than a direct exploitation primitive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local shell access to an unpatched Raspberry Pi 5 determines the device's firmware version, then uses the known-deterministic KASLR seed to calculate exact kernel symbol addresses. Armed with these addresses, they construct a ROP chain for a separate kernel vulnerability - one that would otherwise be defeated by KASLR - and escalate to ring-0 privileges. …
Remediation The primary fix is an upstream EEPROM firmware update delivered via the rpi-eeprom package; users should apply the patched firmware once a tagged release incorporating PR #841 is available (https://github.com/raspberrypi/rpi-eeprom/pull/841). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy