{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-34871", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-01T20:04:34.444Z", "dateReserved": "2026-03-31T00:00:00.000Z", "datePublished": "2026-04-01T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T18:29:09.955Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG)."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-338", "lang": "en", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T20:04:03.011688Z", "id": "CVE-2026-34871", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:04:34.444Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-34871", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T20:04:03.011688Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T20:01:38.168Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-01T18:29:09.955Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34871", "state": "PUBLISHED", "dateUpdated": "2026-04-01T20:04:34.444Z", "dateReserved": "2026-03-31T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-01T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "matchCriteriaId": "C8FBFC2E-329D-4274-A952-2D43378B83BD", "versionEndExcluding": "3.6.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:arm:tf-psa-crypto:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F85529C-03C6-44F4-9242-372DCDF0B52C", "versionEndExcluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG)."}], "id": "CVE-2026-34871", "lastModified": "2026-04-06T14:30:17.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T19:16:33.267", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "mbedtls", "vendor": "mbed-tls"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "tf-psa-crypto", "vendor": "mbed-tls"}], "analysis": {"en": {"generated_at": "2026-04-06T17:43:56.161943+00:00", "value": {"mitigation_remediation": ["Upgrade Mbed TLS to release 3.6.6 or later, or to a 4.x release of 4.1.0 or newer, and replace TF\u2011PSA\u2011Crypto with version 1.1.0 or later.", "Verify that the library version installed on all devices matches the patched release.", "Continue monitoring vendor advisories and validate any future random number generation used by firmware."], "summary": {"action": "Patch Now", "impact": "Predictable Random Number Generator Seed leading to cryptographic compromise"}, "threat_synthesis": {"affected_systems": "Embedded systems and applications that incorporate ARM's Mbed TLS library prior to version 3.6.6, or the 4.x series before 4.1.0, and TF\u2011PSA\u2011Crypto before 1.1.0 are affected. These libraries are widely used in IoT firmware, secure boot solutions, and trust\u2011zone APIs on ARM processors.", "description_and_impact": "The vulnerability arises from a predictable seed in the pseudo\u2011random number generator used by Mbed TLS and TF\u2011PSA\u2011Crypto. A determined attacker can predict the output of the PRNG, allowing compromise of cryptographic material such as keys, nonces, or session tokens. The weakness is formally identified as CWE\u2011338 and can result in loss of confidentiality and integrity for any encryption or authentication relying on the affected randomness source.", "risk_and_exploitability": "The severity score of 6.7 places this issue in the medium\u2011high range. The EPSS score is less than 1\u202f%, indicating a low probability of exploitation, and it is not listed in the CISA KEV catalog. Because the flaw is limited to the PRNG seed, exploitation requires an attacker who can influence or observe the seeding process, which is generally available to local or remote firmware running with the affected library. The cryptographic compromise potential makes this a critical concern for systems that treat PRNG output as fully random."}}}}, "created": "2026-04-02T07:51:14.627873+00:00", "updated": "2026-04-07T08:07:42.575073+00:00", "vendors": ["mbed-tls", "mbed-tls$PRODUCT$mbedtls", "mbed-tls$PRODUCT$tf-psa-crypto"]}