SB20260423131 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DuckDB
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2025-64429)
CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to the use of a cryptographically weak random number generator in the encryption crypto implementation when generating cryptographic keys, IVs, and DatabaseID values with the fallback Mbed TLS implementation. A remote attacker can recover the internal RNG state from public IVs to disclose sensitive information.
This issue affects temporary file encryption when the fallback Mbed TLS implementation is used.
Remediation
Install update from vendor's website.