Cyber Resilience

CVE-2026-41858

High

Published: 04 June 2026

Published
04 June 2026
Modified
04 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0024 15.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41858 is a high-severity PRNG (CWE-338) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem / windows-utilities-release allows a network attacker to estimate VM boot time and reconstruct a small candidate list to recover the Administrator password. The randomize_password job exists solely to lock…

more

the local Administrator account behind an unguessable password as a hardening control. Because the password is derived from a predictable, clock-seeded PRNG, a network attacker who can estimate VM boot time can reconstruct a small candidate list and recover the Administrator password, defeating the hardening control. Affected versions: - windows-utilities-release: all versions prior to v0.23.0 (inclusive); fixed in v0.23.0 or later

CWE(s)

Related Threats

CVEs Like This One

CVE-2026-6659Shared CWE-338
CVE-2024-57854Shared CWE-338
CVE-2026-25726Shared CWE-338
CVE-2024-40762Shared CWE-338
CVE-2025-40905Shared CWE-338
CVE-2026-47372Shared CWE-338
CVE-2024-58041Shared CWE-338
CVE-2025-15578Shared CWE-338
CVE-2025-66630Shared CWE-338
CVE-2021-26091Shared CWE-338

Affected Assets

Affected
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-338

Security associations share details on cryptographically weak PRNGs, helping avoid their implementation in security-critical functions.

addresses: CWE-338

Cryptographic key management standards require cryptographically strong PRNGs for key material, blocking use of weak generators.

References