CVE-2024-10026 — Use of Weak Hash in Google Gvisor

CWE-328 — Use of Weak Hash CWE-339 — Small Seed Space in PRNG CWE-326 — Inadequate Encryption Strength CWE-335 — Incorrect Usage of Seeds in Pseudo-Random Number Generator5 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.0%

top 85.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Gvisor

Timeline

PublishedJan 30

Description

A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages1 packages

▶NVDgoogle/gvisor20231106.0 — 20231204.0+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Improved Seeding and Hashing In gVisor↗2025-01-30

▶

GHSA

GHSA-w2xg-49x3-6w59: A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-b↗2025-01-30

▶

OSV

CVE-2024-10026: A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-b↗2025-01-30

▶

💥Exploits & PoCs

Nuclei

Synology BeeStation BST150-4T - Unauthenticated Command Injection

▶