What CVEs are caused by CWE-330?

140 recorded CVEs are attributed to CWE-330, including CVE-2023-22601, CVE-2026-27755, CVE-2025-4607.

Is CWE-330 part of the OWASP Top 10?

CWE-330 maps to OWASP Top Ten 2004: Broken Access Control (A2) in the OWASP security taxonomy.

How do you prevent CWE-330?

Use a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds.

How is CWE-330 detected?

Black Box: Use monitoring tools that examine the software's process as it interacts with the operating system and the network. This technique is useful in cases when source code is unavailable, if the software was not developed by you, or if you want to verify that the build phase did not introduce any new weaknesses. Examples include debuggers that directly attach to the running process; system-call tracing utilities such as truss (Solaris) and strace (Linux); system activity monitors such as FileMon, RegMon, Process Monitor, and other Sysinternals utilities (Windows); and sniffers and protocol analyzers that monitor network traffic.

What are the consequences of CWE-330?

Exploiting CWE-330 can lead to: Other, Bypass Protection Mechanism, Gain Privileges or Assume Identity.

Is CWE-330 actively exploited?

140 recorded CVEs are caused by CWE-330; none are currently in CISA's KEV catalog of actively exploited flaws.

Class weakness

Stable

CWE-330: Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Last updated May 1, 2026

140

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

High

Likelihood of exploit

Per MITRE

Class

Abstraction

MITRE classification

Overview

CWE-330 (Use of Insufficiently Random Values) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Background

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

This code attempts to generate a unique random identifier for a user's session.

Vulnerable example

php

function generateSessionID($userID){

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.

Vulnerable example

java

String GenerateReceiptURL(String baseUrl) {

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

CWE-330: Use of Insufficiently Random Values

CWE-330: Use of Insufficiently Random Values

Overview

Background

CWE-330: Use of Insufficiently Random Values

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-330?

What CVEs are caused by CWE-330?

Is CWE-330 part of the OWASP Top 10?

How do you prevent CWE-330?

How is CWE-330 detected?

What are the consequences of CWE-330?

Is CWE-330 actively exploited?

References

Stay ahead of CWE-330

Automated Static Analysis - Source Code

Architecture or Design Review

Can precede

Overview

Background

Overview

Background

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Black Box

Automated Static Analysis - Binary or Bytecode

Manual Static Analysis - Binary or Bytecode

Dynamic Analysis with Manual Results Interpretation

Manual Static Analysis - Source Code

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Attack patterns

Frequently asked questions

What is CWE-330?

What CVEs are caused by CWE-330?

Is CWE-330 part of the OWASP Top 10?

How do you prevent CWE-330?

How is CWE-330 detected?

What are the consequences of CWE-330?

Is CWE-330 actively exploited?

References

Stay ahead of CWE-330

Automated Static Analysis - Source Code

Architecture or Design Review

Can precede