Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-0577

Summary
Assigner-fedora
Assigner Org ID-92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5
Published At-18 Feb, 2026 | 20:25
Updated At-18 Feb, 2026 | 20:25
Rejected At-
Credits

Glibc: vdso getrandom acceleration may return predictable randomness

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:fedora
Assigner Org ID:92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5
Published At:18 Feb, 2026 | 20:25
Updated At:18 Feb, 2026 | 20:25
Rejected At:
▼CVE Numbering Authority (CNA)
Glibc: vdso getrandom acceleration may return predictable randomness

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

Affected Products
Collection URL
https://sourceware.org/git/?p=glibc.git
Package Name
glibc
Default Status
unaffected
Versions
Affected
  • From 2.39-28.fc40 through 2.39-33.fc40 (semver)
  • From 2.40-12.fc41 through 2.40-17.fc41 (semver)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glibc
CPEs
  • cpe:/o:redhat:enterprise_linux:10
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 6
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glibc
CPEs
  • cpe:/o:redhat:enterprise_linux:6
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glibc
CPEs
  • cpe:/o:redhat:enterprise_linux:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glibc
CPEs
  • cpe:/o:redhat:enterprise_linux:8
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Enterprise Linux 9
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
glibc
CPEs
  • cpe:/o:redhat:enterprise_linux:9
Default Status
unaffected
Problem Types
TypeCWE IDDescription
CWECWE-331Insufficient Entropy
Type: CWE
CWE ID: CWE-331
Description: Insufficient Entropy
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds

Red Hat Product Security does not have any mitigation recommendations at this time.

Exploits
Credits
Timeline
EventDate
Reported to Red Hat.2025-01-19 15:27:34
Made public.2025-01-23 22:40:05
Event: Reported to Red Hat.
Date: 2025-01-19 15:27:34
Event: Made public.
Date: 2025-01-23 22:40:05
Replaced By
Rejected Reason
References
HyperlinkResource
https://access.redhat.com/security/cve/CVE-2025-0577
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2338871
issue-tracking
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2025-0577
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2338871
Resource:
issue-tracking
x_refsource_REDHAT
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:patrick@puiterwijk.org
Published At:18 Feb, 2026 | 21:16
Updated At:18 Feb, 2026 | 21:16

An insufficient entropy vulnerability was found in glibc. The getrandom and arc4random family of functions may return predictable randomness if these functions are called again after the fork, which happens concurrently with a call to any of these functions.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-331Secondarypatrick@puiterwijk.org
CWE ID: CWE-331
Type: Secondary
Source: patrick@puiterwijk.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://access.redhat.com/security/cve/CVE-2025-0577patrick@puiterwijk.org
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=2338871patrick@puiterwijk.org
N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2025-0577
Source: patrick@puiterwijk.org
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2338871
Source: patrick@puiterwijk.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2024-7318
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-1.39% / 80.03%
||
7 Day CHG~0.00%
Published-09 Sep, 2024 | 18:50
Updated-26 Jan, 2026 | 15:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakRed Hat build of Keycloak 24Red Hat Build of Keycloak
CWE ID-CWE-324
Use of a Key Past its Expiration Date
CVE-2024-9683
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.17% / 37.85%
||
7 Day CHG~0.00%
Published-17 Oct, 2024 | 14:08
Updated-07 Nov, 2025 | 00:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quay: quay allows successful authentication with trucated version of the password

A vulnerability was found in Quay, which allows successful authentication even when a truncated password version is provided. This flaw affects the authentication mechanism, reducing the overall security of password enforcement.  While the risk is relatively low due to the typical length of the passwords used (73 characters), this vulnerability can still be exploited to reduce the complexity of brute-force or password-guessing attacks. The truncation of passwords weakens the overall authentication process, thereby reducing the effectiveness of password policies and potentially increasing the risk of unauthorized access in the future.

Action-Not Available
Vendor-Red Hat, Inc.
Product-quayRed Hat Quay 3
CWE ID-CWE-305
Authentication Bypass by Primary Weakness
CWE ID-CWE-287
Improper Authentication
CVE-2024-6508
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8||HIGH
EPSS-0.99% / 76.42%
||
7 Day CHG+0.09%
Published-21 Aug, 2024 | 05:45
Updated-11 Nov, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Openshift-console: oauth2 insufficient state parameter entropy

An insufficient entropy vulnerability was found in the Openshift Console. In the authorization code type and implicit grant type, the OAuth2 protocol is vulnerable to a Cross-Site Request Forgery (CSRF) attack if the state parameter is used inefficiently. This flaw allows logging into the victim’s current application account using a third-party account without any restrictions.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Container Platform 4.14Red Hat OpenShift Container Platform 4.16Red Hat OpenShift Container Platform 4.17Red Hat OpenShift Container Platform 4.13Red Hat OpenShift Container Platform 4.15Red Hat OpenShift Container Platform 4.12
CWE ID-CWE-331
Insufficient Entropy
Details not found