logo

Insufficient Entropy in PRNG

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) doesn't have enough randomness (entropy) to start with, or isn't using enough during operation. This makes its outputs predictable, undermining both system stability and security.

Extended Description

Insufficient entropy means the PRNG's starting state or its ongoing process lacks true randomness. Instead of producing unpredictable sequences, it may generate numbers that are weak, repeatable, or follow detectable patterns. Attackers can exploit this predictability to guess security tokens, cryptographic keys, or session identifiers, leading directly to breaches like session hijacking or data decryption. For developers, the core issue often lies in using default or poorly seeded PRNGs, especially in virtualized or embedded environments where entropy sources (like user input or hardware events) are limited. To prevent this, always use cryptographically secure PRNGs (CSPRNGs) provided by your platform's security libraries, ensure they are properly seeded with high-quality entropy from reliable system sources, and avoid creating your own random number generation algorithms.
Common Consequences 2
Scope: Availability

Impact: DoS: Crash, Exit, or Restart

If a pseudo-random number generator is using a limited entropy source which runs out (if the generator fails closed), the program may pause or crash.

Scope: Access ControlOther

Impact: Bypass Protection MechanismOther

If a PRNG is using a limited entropy source which runs out, and the generator fails open, the generator could produce predictable random numbers. Potentially a weak source of random numbers could weaken the encryption method used for authentication of users.
Potential Mitigations 3
Phase: Architecture and DesignRequirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Phase: Implementation
Consider a PRNG that re-seeds itself as needed from high-quality pseudo-random output, such as hardware devices.
Phase: Architecture and Design
When deciding which PRNG to use, look at its sources of entropy. Depending on what your security needs are, you may need to use a random number generator that always uses strong random data -- i.e., a random number generator that attempts to be strong but will fail in a weak way or will always provide some middle ground of protection through techniques like re-seeding. Generally, something that always provides a predictable amount of strength is preferable.
Observed Examples 2
[REF-1374]Chain: JavaScript-based cryptocurrency library can fall back to the insecure Math.random() function instead of reporting a failure (Missing Report of Error Condition), thus reducing the entropy (Insufficient Entropy in PRNG) and leading to generation of non-unique cryptographic keys for Bitcoin wallets (Use of Weak Credentials)
CVE-2019-1715security product has insufficient entropy in the DRBG, allowing collisions and private key discovery
References 3
FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology
25-05-2001
https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf(2025-05-21)
ID: REF-267
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Randstorm: You Can't Patch a House of Cards
Unciphered
14-11-2023
https://www.unciphered.com/disclosure-of-vulnerable-bitcoin-wallet-library-2/(2025-07-29)
ID: REF-1374
Likelihood of Exploit

Medium

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Related Weaknesses
ChildOf: Insufficient Entropy (CWE-331)
Taxonomy Mapping
  • CLASP
  • The CERT Oracle Secure Coding Standard for Java (2011)
Notes
MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.