Weak KASLR and RNG Issues in Raspberry Pi 5 and Compute Module 5 Firmware
CVE-2026-13199

5.1MEDIUM

Key Information:

Vendor
CVE Published:
7 July 2026

What is CVE-2026-13199?

The EEPROM firmware on Raspberry Pi 5 and Compute Module 5 devices generates non-random KASLR and RNG seed values, leading to predictable kernel addresses across multiple boots and devices. This predictability could facilitate the exploitation of other existing vulnerabilities. Furthermore, the low-quality RNG seed may compromise the generation of random numbers and could also result in delays during boot-up while waiting for adequate entropy from alternative sources.

Affected Version(s)

Raspberry Pi 5 and Compute Module 5 Linux 0 < 28.22-1

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gabriele Quagliarella at Nozomi Networks
.