CVE-2024-10026 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-10026

CVE-2024-10026

January 30, 2025

A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.

Related Resources (4)

https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af

https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2

https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56

https://www.ndss-symposium.org/wp-content/uploads/2025-122-paper.pdf

Do you need more information?

CVSS v4

Base Score:

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

LOW

Subsequent System Integrity

LOW

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Small Seed Space in PRNG

CWE-339

Inadequate Encryption Strength

CWE-326

Use of Weak Hash

CWE-328

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CWE-335

EPSS

Base Score:

0.07

Products

Solutions

Resources

Company

Compare

Developer Tools