Skip to main content

Microsoft CVE-2026-5087

| EUVD-2026-17531 HIGH
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-03-31 9b29abf9-4ab0-4765-b253-1875cd9b441e GHSA-r6mr-wmgj-f864
Information Disclosure Microsoft
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 31, 2026 - 16:22 euvd
EUVD-2026-17531
Analysis Generated
Mar 31, 2026 - 16:22 vuln.today
CVE Published
Mar 31, 2026 - 16:16 nvd
HIGH 7.5

DescriptionNVD

PAGI::Middleware::Session::Store::Cookie versions through 0.001003 for Perl generates random bytes insecurely.

PAGI::Middleware::Session::Store::Cookie attempts to read bytes from the /dev/urandom device directly. If that fails (for example, on systems without the device, such as Windows), then it will emit a warning that recommends the user install Crypt::URandom, and then return a string of random bytes generated by the built-in rand function, which is unsuitable for cryptographic applications.

This modules does not use the Crypt::URandom module, and installing it will not fix the problem.

The random bytes are used for generating an initialisation vector (IV) to encrypt the cookie.

A predictable IV may make it easier for malicious users to decrypt and tamper with the session data that is stored in the cookie.

AnalysisAI

PAGI::Middleware::Session::Store::Cookie through version 0.001003 generates cryptographically weak initialization vectors (IVs) for session cookie encryption by falling back to Perl's built-in rand() function when /dev/urandom is unavailable, particularly affecting Windows systems. This predictable IV generation enables attackers to decrypt and tamper with session data stored in cookies, compromising session confidentiality and integrity. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-40412 CRITICAL
10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
CVE-2026-41104 CRITICAL
10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
CVE-2026-23652 CRITICAL
10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
CVE-2026-47280 CRITICAL
10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
CVE-2026-42901 CRITICAL
10.0 May 22

Privilege escalation in Microsoft Entra ID enables remote unauthenticated attackers to bypass origin validation and gain

Share

CVE-2026-5087 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy