Monthly
PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys through cryptographic nonce-reuse attacks. When Crypt::PK objects are created before fork() in preforking web servers like Starman, every child process inherits identical PRNG state, causing duplicate randomness in cryptographic operations. Two ECDSA or DSA signatures generated by different worker processes are sufficient to mathematically recover the private key. EPSS exploitation probability is low (0.02%), but CISA SSVC framework confirms proof-of-concept availability and automatable exploitation. Vendor patch released in CryptX 0.088.
Mbed TLS before version 3.6.6 and TF-PSA-Crypto before version 1.1.0 contain a PRNG seed misuse vulnerability that enables information disclosure. An attacker who gains access to a seeded PRNG instance can potentially predict or replicate pseudo-random number generation, compromising cryptographic material confidentiality. The vulnerability affects cryptographic libraries used in embedded systems and IoT devices, with confirmed availability of vendor security advisories but no CVSS score assigned at time of analysis.
CVE-2026-3503 is a security vulnerability (CVSS 4.3) that allows a physical attacker. Remediation should follow standard vulnerability management procedures.
Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. No vendor patch available.
NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PRNG state reuse across forked processes in CryptX for Perl allows remote attackers to recover private signing keys through cryptographic nonce-reuse attacks. When Crypt::PK objects are created before fork() in preforking web servers like Starman, every child process inherits identical PRNG state, causing duplicate randomness in cryptographic operations. Two ECDSA or DSA signatures generated by different worker processes are sufficient to mathematically recover the private key. EPSS exploitation probability is low (0.02%), but CISA SSVC framework confirms proof-of-concept availability and automatable exploitation. Vendor patch released in CryptX 0.088.
Mbed TLS before version 3.6.6 and TF-PSA-Crypto before version 1.1.0 contain a PRNG seed misuse vulnerability that enables information disclosure. An attacker who gains access to a seeded PRNG instance can potentially predict or replicate pseudo-random number generation, compromising cryptographic material confidentiality. The vulnerability affects cryptographic libraries used in embedded systems and IoT devices, with confirmed availability of vendor security advisories but no CVSS score assigned at time of analysis.
CVE-2026-3503 is a security vulnerability (CVSS 4.3) that allows a physical attacker. Remediation should follow standard vulnerability management procedures.
Incorrect Usage of Seeds in Pseudo-Random Number Generator (CWE- 335) vulnerability in the High Sec ELM may allow a sophisticated attacker with physical access, to compromise internal device. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. No vendor patch available.
NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Apache Cocoon. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.