2 vulnerabilities classified as CWE-336 (PRNG中使用相同种子). AI Chinese analysis included.
CWE-336 represents a critical algorithmic weakness where a Pseudo-Random Number Generator is initialized with a static, predictable seed value rather than a dynamic one. Because PRNGs are deterministic algorithms, reusing the same seed guarantees identical sequences of output numbers across different executions or sessions. Attackers typically exploit this flaw by observing initial outputs or knowing the fixed seed to predict subsequent values, effectively breaking the security model of systems relying on randomness for session tokens, cryptographic keys, or nonces. To prevent this vulnerability, developers must ensure that the PRNG is seeded with high-entropy data derived from a cryptographically secure random source, such as operating system entropy pools, for every initialization. This approach ensures that each generated sequence is unique and computationally infeasible for an adversary to guess, thereby maintaining the integrity and unpredictability required for secure application operations.
private static final long SEED = 1234567890; public int generateAccountID() { Random random = new Random(SEED); return random.nextInt(); }function generateSessionID($userID){ srand($userID); return rand(); }| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-24044 | ESS Community Helm Chart has a weak server key generation method — ess-helm | 9.1AI | CriticalAI | 2026-02-12 |
| CVE-2021-42810 | Safenet Authentication Service Remote Desktop Gateway prior to 2.0.3 may allow privilege escilation to authenticated users — SafeNet Authentication Service | 7.8 | High | 2022-01-19 |
Vulnerabilities classified as CWE-336 (PRNG中使用相同种子) represent 2 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.