Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in DuckDB - CVE-2025-64429
Published: April 23, 2026
Vulnerability identifier: #VU127068
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-64429
CWE-ID: CWE-338
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: DuckDB
Affected software:
DuckDB
DuckDB
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to the use of a cryptographically weak random number generator in the encryption crypto implementation when generating cryptographic keys, IVs, and DatabaseID values with the fallback Mbed TLS implementation. A remote attacker can recover the internal RNG state from public IVs to disclose sensitive information.
This issue affects temporary file encryption when the fallback Mbed TLS implementation is used.
How to mitigate CVE-2025-64429
Install security update from vendor's website.