CVE-2026-34871

6.7 MEDIUM

An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0

Published: 2026-04-01 · Last updated: 2026-06-05

Severity and scoring

CVSS: 6.7 MEDIUM
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-338

Affected products

Vendor	Product
arm	mbed_tls, tf-psa-crypto
trustedfirmware	mbed_tls, tf-psa-crypto

Description

An issue was discovered in Mbed TLS before 3.6.6 and 4.x before 4.1.0 and TF-PSA-Crypto before 1.1.0. There is a Predictable Seed in a Pseudo-Random Number Generator (PRNG).

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-34871
[Vendor advisory]https://mbed-tls.readthedocs.io/en/latest/security-advisories/
[Vendor advisory]https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2026-03-dev-random/

Related CVEs

Same vendor

CVE-2026-45702 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.4 MEDIUM)
CVE-2026-45614 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (4.7 MEDIUM)
CVE-2026-40290 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.8 HIGH)
CVE-2026-33662 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (7.5 HIGH)
CVE-2026-33317 — OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using t... (8.7 HIGH)

Same CWE

CVE-2026-11832 — Dancer2::Plugin::Auth::OAuth versions before 0.22 for Perl default to a predictable nonce (9.1 CRITICAL)
CVE-2026-9638 — Crypt::PBKDF2 versions before 0.261630 for Perl generate insecure random values for salts (7.5 HIGH)
CVE-2026-46493 — HAX CMS helps manage microsite universe with PHP or NodeJs backends (7.5 HIGH)
CVE-2026-11347 — The linqi application contains hardcoded cryptographic keys
CVE-2026-41858 — Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a... (7.5 HIGH)