Small Seed Space in PRNG

Description

This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) uses a seed that has too few possible values, making it easy for an attacker to guess through brute force.

Extended Description

A PRNG's output is not truly random; it's a predictable sequence determined entirely by its initial seed. If an attacker can observe some of the generator's output, they can launch a brute-force attack by systematically trying every possible seed value until they find the one that produces the matching sequence. Once the seed is discovered, the attacker can predict every future number the PRNG will generate, completely breaking its security. This risk is directly tied to the size of the seed space. A small seed space—like one using a 16-bit integer (65,536 possibilities) instead of a cryptographically secure 256-bit seed—drastically reduces the number of guesses an attacker needs to make. Modern computing power can exhaust such small spaces quickly, rendering the PRNG useless for security-sensitive operations like generating encryption keys, session tokens, or authentication codes.

Common Consequences 1

Scope: Other

Impact: Varies by Context

Potential Mitigations 2

Phase: Architecture and Design

Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.

Phase: Architecture and DesignRequirements

Strategy: Libraries or Frameworks

Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.

Demonstrative Examples 1

ID : DX-178

This code grabs some random bytes and uses them for a seed in a PRNG, in order to generate a new cryptographic key.

Code Example:Bad
Python
getting 2 bytes of randomness for the seeding the PRNG *python

Since only 2 bytes are used as a seed, an attacker will only need to guess 2^16 (65,536) values before being able to replicate the state of the PRNG.

Observed Examples 1

CVE-2019-10908product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed.

References 2

FIPS PUB 140-2: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES

Information Technology Laboratory, National Institute of Standards and Technology

25-05-2001

https://csrc.nist.gov/files/pubs/fips/140-2/upd2/final/docs/fips1402.pdf(2025-05-21)

ID: REF-267

FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES

Information Technology Laboratory, National Institute of Standards and Technology

22-03-2019

https://csrc.nist.gov/publications/detail/fips/140/3/final

ID: REF-1192

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) (CWE-335)

PeerOf:

Predictable from Observable State (CWE-341)

Taxonomy Mapping

PLOVER

Notes

MaintenanceThis entry may have a chaining relationship with predictable from observable state (Predictable from Observable State).

MaintenanceAs of CWE 4.5, terminology related to randomness, entropy, and predictability can vary widely. Within the developer and other communities, "randomness" is used heavily. However, within cryptography, "entropy" is distinct, typically implied as a measurement. There are no commonly-used definitions, even within standards documents and cryptography papers. Future versions of CWE will attempt to define these terms and, if necessary, distinguish between them in ways that are appropriate for different communities but do not reduce the usability of CWE for mapping, understanding, or other scenarios.