Main Vulnerability Database Vulnerabilities #VU124803

#VU124803 Use of insufficiently random values in mbed TLS - CVE-2026-34871

Published: April 2, 2026

Vulnerability identifier: #VU124803

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34871

CWE-ID: CWE-330

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
mbed TLS

Software vendor:
ARM

Description

The vulnerability allows a local user to compromise cryptographic operations by causing the use of predictable random data.

The vulnerability exists due to improper fallback to /dev/urandom in entropy collection on Linux when getrandom() is unavailable or blocked. A local user can control the system state or restrict access to getrandom() to force the use of /dev/urandom during early boot, leading to insufficient entropy and predictable cryptographic outputs.

Devices without hardware random number generators are especially at risk during initial boot or OS installation. The issue affects Linux platforms where getrandom() is not available (kernel <3.17), blocked by sandboxing, or not supported by the C library.

Remediation

Install security update from vendor's website.

External links

https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/

#VU124803 Use of insufficiently random values in mbed TLS - CVE-2026-34871

Description

Remediation

External links

Please verify you're human