CWE-332 - Insufficient Entropy in PRNG
- Abstraction:Variant
- Structure:Simple
- Status:Draft
- Release Date:2006-07-19
- Latest Modification Date:2024-02-29
Weakness Name
Insufficient Entropy in PRNG
Description
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
Common Consequences
Scope: Availability
Impact: DoS: Crash, Exit, or Restart
Notes: If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.
Scope: Access Control, Other
Impact: Bypass Protection Mechanism, Other
Notes: If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users.
Related Weaknesses
Oracle denies breach after hacker claims theft of 6 million data records
Oracle Health breach compromises patient data at US hospitals
Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825)
Russian Hackers Exploit CVE-2025-26633 via MSC EvilTwin to Deploy SilentPrism and DarkWisp
CosmicSting flaw impacts 75% of Adobe Commerce, Magento sites
CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825)
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
Employee charged with stealing unreleased movies, sharing them online
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalUser Controllable JavaScript Event (XSS)
InformationalContent Security Policy (CSP) Report-Only Header Found
InformationalImage Exposes Location or Privacy Data
HighOpen Redirect
InformationalASP.NET ViewState Disclosure