CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
Last updated
Overview
PRNGs are deterministic and, while their output appears random, they cannot actually create entropy. They rely on cryptographically secure and unique seeds for entropy so proper seeding is critical to the secure operation of the PRNG. Management of seeds could be broken down into two main areas: (1) protecting seeds as cryptographic material (such as a cryptographic key); (2) whenever possible, using a uniquely generated seed from a cryptographically secure source PRNGs require a seed as input to generate a stream of numbers that are functionally indistinguishable from random numbers. While the output is, in many cases, sufficient for cryptographic uses, the output of any PRNG is directly determined by the seed provided as input. If the seed can be ascertained by a third party, the entire output of the PRNG can be made known to them. As such, the seed should be kept secret and should ideally not be able to be guessed. For example, the current time may be a poor seed. Knowing the approximate time the PRNG was seeded greatly reduces the possible key space. Seeds do not necessarily need to be unique, but reusing seeds may open up attacks if the seed is discovered.
Real-world CVEs
18 recorded CVEs are caused by CWE-335 (Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)). The highest-severity and most recent are shown first. 4 new CWE-335 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2024-36048Critical · CVSS 9.8 · EPSS 58th2024-05-18
- CVE-2023-4472
Cryptographically weak PRNG in Opinio 7.22
Critical · CVSS 9.8 · EPSS 46th2024-02-01 - CVE-2021-41117Critical · CVSS 9.1 · EPSS 86th2021-10-11
- CVE-2024-27632High · CVSS 8.8 · EPSS 67th2024-04-08
- CVE-2024-1579High · CVSS 8.1 · EPSS 41th2024-04-29
- CVE-2016-3735High · CVSS 8.1 · EPSS 69th2022-01-28
- CVE-2026-25835High · CVSS 7.7 · EPSS 7th2026-04-01
- CVE-2026-11702
Bytes::Random::Secure::Tiny versions through 1.011 for Perl share internal state across forked processes
High · CVSS 7.5 · EPSS 21th2026-06-26 - CVE-2026-11625
Bytes::Random::Secure versions through 0.29 for Perl share internal state across forked processes
High · CVSS 7.5 · EPSS 23th2026-06-26 - CVE-2025-27580High · CVSS 7.5 · EPSS 46th2025-04-23
- CVE-2025-24783
Apache Cocoon: continuations may not be private
High · CVSS 7.5 · EPSS 51th2025-01-27 - CVE-2022-39218High · CVSS 7.5 · EPSS 52th2022-09-20
Showing 12 of 18 recorded CWE-335 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-335 vulnerabilitiesCommon consequences
What can happen when CWE-335 is exploited.
Bypass Protection Mechanism, Other
Affects: Access Control, Other
If a PRNG is used incorrectly, such as using the same seed for each initialization or using a predictable seed, then an attacker may be able to easily guess the seed and thus the random numbers. This could lead to unauthorized access to a system if the seed is used for authentication and authorization.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code uses a statistical PRNG to generate account IDs.
Vulnerable example
private static final long SEED = 1234567890;Because the program uses the same seed value for every invocation of the PRNG, its values are predictable, making the system vulnerable to attack.
Both of these examples use a statistical PRNG seeded with the current value of the system clock to generate a random number:
Vulnerable example
Random random = new Random(System.currentTimeMillis());Vulnerable example
srand(time());An attacker can easily predict the seed used by these PRNGs, and so also predict the stream of random numbers generated. Note these examples also exhibit CWE-338 (Use of Cryptographically Weak PRNG).
This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key.
Vulnerable example
# getting 2 bytes of randomness for the seeding the PRNGSince only 2 bytes are used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-7010 — Cloud application on Kubernetes generates passwords using a weak random number generator based on deployment time.
- CVE-2019-11495 — server uses erlang:now() to seed the PRNG, which results in a small search space for potential random seeds
- CVE-2018-12520 — Product's PRNG is not seeded for the generation of session IDs
- CVE-2016-10180 — Router's PIN generation is based on rand(time(0)) seeding.
Terminology & mappings
Mapped taxonomies
- PLOVER: PRNG Seed Error
Frequently asked questions
Common questions about CWE-335.
- What is CWE-335?
- The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
- What CVEs are caused by CWE-335?
- 18 recorded CVEs are attributed to CWE-335, including CVE-2024-36048, CVE-2023-4472, CVE-2021-41117.
- How is CWE-335 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-335?
- Exploiting CWE-335 can lead to: Bypass Protection Mechanism, Other.
- Is CWE-335 actively exploited?
- 18 recorded CVEs are caused by CWE-335; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-335) (opens in a new tab)
- CWE-335 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-335
Get alerted the moment a new CWE-335 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.