CVE-2025-0577
Insufficient Entropy in glibc getrandom/arc4random Post-fork
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: Fedora Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gnu | glibc | * |
| gnu | glibc | 2.39 |
| gnu | glibc | 2.40 |
| gnu | glibc | 2.41 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-0577 is a vulnerability in the GNU C Library (glibc) related to the getrandom system call and the arc4random family of functions. Specifically, when these functions are called after a fork operation that happens concurrently with a call to any of these functions, the randomness they produce may become predictable. This occurs due to an issue in the vDSO (virtual Dynamic Shared Object) acceleration of the getrandom call in certain versions of glibc used in Fedora 40, Fedora 41, and CentOS 10 Stream.
Because these functions are supposed to provide secure random values, the flaw compromises the quality and security of the randomness, potentially allowing attackers to predict random values that should be unpredictable.
How can this vulnerability impact me? :
This vulnerability can impact you by causing the random values generated by the getrandom and arc4random functions to be predictable after a fork operation. Predictable randomness can weaken security mechanisms that rely on strong random values, such as cryptographic key generation, session tokens, or other security-critical operations.
As a result, attackers might exploit this flaw to guess or reproduce random values, potentially leading to compromised confidentiality and integrity of systems or data that depend on these random values.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of glibc in Fedora 40, Fedora 41, and CentOS 10 Stream where the getrandom and arc4random functions may produce predictable randomness after a fork operation. Detection involves identifying if your system is running one of the affected glibc versions.
You can check the installed glibc version on your system using the following command:
- rpm -q glibc
If the version falls within the affected ranges (e.g., 2.39-28.fc40 through 2.39-33.fc40 for Fedora 40, 2.40-12.fc41 through 2.40-17.fc41 for Fedora 41, or 2.39-29.el10 through 2.39-33.el10 for CentOS 10 Stream), your system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation involves updating glibc to a version that is not affected by this vulnerability. Since no upstream glibc release is impacted and the issue was identified during development of glibc 2.41, applying vendor patches or upgrading to a fixed glibc version provided by your distribution is recommended.'}, {'type': 'paragraph', 'content': "You should check for and install security updates from your Linux distribution's package manager. For example, on Fedora or CentOS, you can run:"}, {'type': 'list_item', 'content': 'sudo dnf update glibc'}, {'type': 'paragraph', 'content': 'Additionally, avoid running applications that rely on getrandom or arc4random functions immediately after a fork until the update is applied.'}] [1]