cbcvebase.
CVE-2022-40769
published 2022-09-18

CVE-2022-40769: profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal…

PriorityP274high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.04%
59.6th percentile
profanity through 1.60 has only four billion possible RNG initializations. Thus, attackers can recover private keys from Ethereum vanity addresses and steal cryptocurrency, as exploited in the wild in June 2022.

Affected

1 ranges
VendorProductVersion rangeFixed in
profanity_projectprofanity<= 1.60

Detection & IOCsextracted from sources · hover to see the quote

  • Ethereum private keys generated by Profanity through version 1.60 can be brute-forced by exhausting the ~4 billion RNG seed space. Monitor for unauthorized transfers from known Profanity-generated vanity addresses.
  • ·The vulnerability is specific to Profanity versions through 1.60, where the RNG is seeded with only a 32-bit value, limiting the keyspace to approximately 4 billion possibilities rather than the cryptographically required 256-bit entropy.
  • ·Exploitation was confirmed in the wild as early as June 2022, meaning affected vanity addresses generated by Profanity prior to patching should be considered compromised.
  • ·The root cause is use of a small (32-bit) random seed for RNG initialization in vanity address generation; any tool with a similar design flaw would be equally vulnerable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.