VariantDraft

CWE-337Predictable Seed in Pseudo-Random Number Generator (PRNG)

Category: other

Description

A Pseudo-Random Number Generator (PRNG) is initialized from a predictable seed, such as the process ID or system time. The use of predictable seeds significantly reduces the number of possible seeds that an attacker would need to test in order to predict which random numbers will be generated by the PRNG.

Common consequences· 1

  • Other — Varies by Context

Potential mitigations· 3

  • []Use non-predictable inputs for seed generation.
  • [Architecture and Design, Requirements]Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
  • [Implementation]Use a PRNG that periodically re-seeds itself using input from high-quality sources, such as hardware devices with high entropy. However, do not re-seed too frequently, or else the entropy source might block.

References

  1. https://cwe.mitre.org/data/definitions/337.html

(incoming)1

TypeTargetConfidenceTier
VulnerabilityCVE-2025-55069cve-2025-550690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Same Seed in Pseudo-Random Number Generator (PRNG)
CWE
Small Seed Space in PRNG
CWE
Predictable from Observable State
CWE
Use of Predictable Algorithm in Random Number Generator
CWE
Predictable Value Range from Previous Values
CWE
Insufficient Entropy in PRNG
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.