CVE-2026-13199
Received
Received - Intake
EEPROM Firmware Flaws Cause Non-Random KASLR and RNG Seeds on Raspberry Pi 5
Vulnerability report for CVE-2026-13199, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-07
Last updated on: 2026-07-07
Assigner: Nozomi Networks Inc.
Description
Description
EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices produced non-random KASLR and RNG seed values. This resulted in consistent kernel addresses across boots and devices, potentially making it easier to exploit other vulnerabilities. Additionally, the low-quality RNG seed may affect the quality of random numbers or delay booting while sufficient entropy is accumulated from other sources.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raspberry_pi | rpi_eeprom | to 28.22-1 (exc) |
| raspberry_pi | rpi_eeprom | From 28.22-1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |