SB20260423131 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DuckDB



SB20260423131 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DuckDB

Published: April 23, 2026

Security Bulletin ID SB20260423131
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2025-64429)

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to the use of a cryptographically weak random number generator in the encryption crypto implementation when generating cryptographic keys, IVs, and DatabaseID values with the fallback Mbed TLS implementation. A remote attacker can recover the internal RNG state from public IVs to disclose sensitive information.

This issue affects temporary file encryption when the fallback Mbed TLS implementation is used.


Remediation

Install update from vendor's website.