Weak Random Number Generation in wolfSSL After Fork Operations
CVE-2025-7394

7HIGH

Key Information:

Vendor: Wolfssl
Status: Wolfssl
Vendor: CVE Published:; 18 July 2025

What is CVE-2025-7394?

A flaw in the OpenSSL compatibility layer of wolfSSL has been identified, where the function RAND_poll() fails to perform correctly, leading to potentially predictable values when using RAND_bytes() following fork() operations. This issue affects applications that explicitly call RAND_bytes() post-fork. Although documentation warns against using RAND_bytes() with fork() without invoking RAND_poll(), wolfSSL's recent changes have adapted its behavior. The library’s Hash-DRBG is now designed to reseed when a new process is detected after a fork, addressing the vulnerability. Users are advised to upgrade to the latest version of wolfSSL to mitigate this risk.

Affected Version(s)

wolfSSL 5.8.0

References

https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog....

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 18, 2025
Vulnerability Reserved
Jul 9, 2025

Credit

Per Allansson