Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).
AnalysisAI
Mbed TLS 3.x before 3.6.6, 4.x before 4.1.0, and TF-PSA-Crypto before 1.1.0 contain a predictable seed vulnerability in their pseudo-random number generator (PRNG) implementation that compromises the cryptographic strength of generated random values. Attackers with knowledge of the seed initialization mechanism can predict PRNG output, enabling them to forge cryptographic material, decrypt communications, or impersonate legitimate parties. No active exploitation has been confirmed, but the information disclosure nature of this vulnerability affects all applications relying on these libraries for cryptographic operations.
Technical ContextAI
The vulnerability resides in the PRNG implementation used by Mbed TLS and TF-PSA-Crypto for generating cryptographic random numbers, which are fundamental to key generation, nonce creation, and other security-critical operations. The root cause involves predictable seed initialization-the mechanism that initializes the PRNG state lacks sufficient entropy or uses a deterministic source rather than a cryptographically secure random source. Since PRNG output directly feeds cryptographic operations including RSA/ECDSA signatures, symmetric cipher initialization, and protocol handshakes, a predictable seed undermines the security guarantees of all downstream cryptographic operations. This affects the C/C++ implementations of both Mbed TLS (a widely-used embedded TLS library) and TF-PSA-Crypto (the ARM Platform Security Architecture cryptography API), which are used extensively in embedded systems, IoT devices, mobile platforms, and other resource-constrained environments.
RemediationAI
Upgrade immediately to Mbed TLS 3.6.6 or later for the 3.x branch, Mbed TLS 4.1.0 or later for the 4.x branch, and TF-PSA-Crypto 1.1.0 or later. These patched versions address the PRNG seed initialization vulnerability and restore cryptographic randomness guarantees. Organizations unable to patch immediately should implement compensating controls such as using external hardware random number generators (if the platform supports them) or integrating entropy from verified cryptographic libraries that do not suffer from the same predictability issue, though such workarounds are temporary and not a substitute for patching. Refer to the official Mbed TLS security advisory at https://mbed-tls.readthedocs.io/en/latest/security-advisories/ for detailed remediation guidance and platform-specific upgrade instructions.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18001
GHSA-rjq9-c3rf-c638