CVE-2026-34871
Predictable Seed Vulnerability in Mbed TLS and TF-PSA PRNG
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arm | mbed_tls | to 3.6.6 (exc) |
| arm | tf-psa-crypto | to 1.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-338 | The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34871 is a vulnerability in Mbed TLS and TF-PSA-Crypto where the pseudo-random number generator (PRNG) uses a predictable seed. Specifically, on Linux systems, the entropy source can fall back to using /dev/urandom, which may weaken the randomness quality used by the cryptographic library.
How can this vulnerability impact me? :
This vulnerability can impact the security of cryptographic operations that rely on high-quality randomness. If the PRNG seed is predictable, attackers may be able to predict cryptographic keys or other sensitive values generated by the library, potentially compromising confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.