CWE · MITRE source
CWE-326Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 12 mapping(s) from 8 framework(s): CAPEC 3 (partial) · ASVS 5.0 2 (mostly) · ATT&CK 2 (partial) · OWASP-Web 1 (full) · STIG oracle linux 9 1 (mostly) · STIG rhel 8 1 (mostly) · STIG rhel 9 1 (partial) · STIG windows server 2016 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A04:2025 Cryptographic Failures.
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-12 | Cryptographic Key Establishment and Management | SC | Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm. |
SC-13 | Cryptographic Protection | SC | Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength. |
PM-15 | Security and Privacy Groups and Associations | PM | Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength. |
RA-4 | Risk Assessment Update | RA | Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers. |
SI-2 | Flaw Remediation | SI | Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-11317 KEV | 10.0 | 9.8 | 0.8348 | 2017-08-23 |
CVE-2017-1000486 KEV | 10.0 | 9.8 | 0.9410 | 2018-01-03 |
CVE-2018-15811 KEV | 10.0 | 7.5 | 0.7405 | 2019-07-03 |
CVE-2018-18325 KEV | 10.0 | 7.5 | 0.7405 | 2019-07-03 |
CVE-2011-3389 | 8.0 | 0.0 | 0.7333 | 2011-09-06 |
CVE-2013-2566 | 8.0 | 5.9 | 0.8442 | 2013-03-15 |
CVE-2014-0224 | 8.0 | 7.4 | 0.9533 | 2014-06-05 |
CVE-2016-5804 | 7.0 | 9.8 | 0.0112 | 2016-07-15 |
CVE-2016-9121 | 7.0 | 9.1 | 0.0141 | 2017-03-28 |
CVE-2017-8076 | 7.0 | 9.8 | 0.0090 | 2017-04-23 |
CVE-2017-7229 | 7.0 | 9.1 | 0.0076 | 2017-05-03 |
CVE-2017-7888 | 7.0 | 9.8 | 0.0107 | 2017-05-10 |
CVE-2017-7903 UPD | 7.0 | 9.8 | 0.0274 | 2017-06-30 |
CVE-2017-7905 | 7.0 | 9.8 | 0.0128 | 2017-06-30 |
CVE-2017-7673 | 7.0 | 9.8 | 0.0165 | 2017-07-17 |
CVE-2014-9975 | 7.0 | 9.8 | 0.0044 | 2017-08-18 |
CVE-2015-0575 | 7.0 | 9.8 | 0.0052 | 2017-08-18 |
CVE-2017-14090 | 7.0 | 9.1 | 0.0134 | 2017-12-16 |
CVE-2018-7242 | 7.0 | 9.8 | 0.0195 | 2018-04-18 |
CVE-2017-16726 | 7.0 | 9.1 | 0.0051 | 2018-06-27 |
CVE-2018-15124 | 7.0 | 9.8 | 0.0107 | 2018-08-13 |
CVE-2018-0448 | 7.0 | 9.8 | 0.0214 | 2018-10-05 |
CVE-2019-10907 | 7.0 | 9.8 | 0.0092 | 2019-04-07 |
CVE-2018-20810 | 7.0 | 9.8 | 0.0177 | 2019-06-28 |
CVE-2019-15805 | 7.0 | 9.8 | 0.0119 | 2019-08-29 |