CVE-2009-3238

MEDIUM

Linux kernel <2.6.30 - Info Disclosure

Title source: llm

Description

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

References (13)

[Broken Link] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.html

[Broken Link, Patch] http://patchwork.kernel.org/patch/21766/

[Broken Link] http://secunia.com/advisories/37105

[Broken Link] http://secunia.com/advisories/37351

[Broken Link, Exploit, Vendor Advisory] http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30

[Broken Link] http://www.redhat.com/support/errata/RHSA-2009-1438.html

[Third Party Advisory] http://www.ubuntu.com/usn/USN-852-1

[Issue Tracking, Permissions Required] https://bugzilla.redhat.com/show_bug.cgi?id=499785

[Issue Tracking, Permissions Required] https://bugzilla.redhat.com/show_bug.cgi?id=519692

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11168

[Third Party Advisory] https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03836en_us

Scores

CVSS v3 5.5

EPSS 0.0024

EPSS Percentile 47.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-338

Status draft

Affected Products (8)

linux/linux_kernel < 2.6.30

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

opensuse/opensuse

suse/linux_enterprise_desktop

suse/linux_enterprise_server

Timeline

Published Sep 18, 2009

Tracked Since Feb 18, 2026