2338871 – (CVE-2025-0577) CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness

Bug 2338871 (CVE-2025-0577) - CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable randomness

Summary: CVE-2025-0577 glibc: vDSO getrandom acceleration may return predictable rando...

Keywords:
Status:	NEW
Alias:	CVE-2025-0577
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2341852 2341853
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-19 15:39 UTC by OSIDB Bzimport
Modified:	2025-04-06 19:08 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-01-19 15:39:41 UTC

In Fedora 40 glibc between glibc-2.39-28.fc40 and glibc-2.39-33.fc40 (inclusive) and in Fedora 41 glibc between glibc-2.40-12.fc41 and glibc-2.40-17.fc41, the vDSO getrandom acceleration (impacting getrandom and the arc4random family of functions) may return predictable randomness if these functions are called again after fork that happened concurrently with a call to any of these functions. 

The issue currently impacts CentOS 10 Stream (glibc-2.39-29.el10 to glibc-2.39-33.el10).

No glibc upstream release is impacted, this was caught during glibc 2.41 development.

Note You need to log in before you can comment on or make changes to this bug.