CVE-2026-34871

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

—

Description

An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-34871 NameCVE-2026-34871 DescriptionAn issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG). SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)…

CVE-2026-34871

Name	CVE-2026-34871
Description	An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4551-1
Debian Bugs	1132577

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
mbedtls (PTS)	bullseye	2.16.9-0.1	vulnerable
	bullseye (security)	2.16.9-0.1+deb11u4	fixed
	bookworm	2.28.3-1	vulnerable
	trixie	3.6.5-0.1~deb13u1	vulnerable
	forky, sid	3.6.6-0.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
mbedtls	source	bullseye	2.16.9-0.1+deb11u4		DLA-4551-1
mbedtls	source	(unstable)	3.6.6-0.1	unimportant		1132577

Notes

[trixie] - mbedtls <no-dsa> (Minor issue)
[bookworm] - mbedtls <no-dsa> (Minor issue)
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/
Builds using Glibc or uClibc, running on a kernel where getrandom() is available, are safe.

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[trixie] - mbedtls <no-dsa> (Minor issue)[bookworm] - mbedtls <no-dsa> (Minor issue)https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/Builds using Glibc or uClibc, running on a kernel where getrandom() is available, are safe.

OS impact

OS	Version	Status	Fixed in
sles		affected
debian	bookworm	affected
debian	bullseye	fixed	`2.16.9-0.1+deb11u4`
debian	forky	fixed	`3.6.6-0.1`
debian	sid	fixed	`3.6.6-0.1`
debian	trixie	affected

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.