CWE · MITRE source
CWE-330Use of Insufficiently Random Values
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Last updated: 04 July 2026 08:17 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: full · 16 mapping(s) from 7 framework(s): ATT&CK 4 (partial) · STIG oracle linux 8 3 (mostly) · STIG rhel 8 3 (mostly) · CAPEC 3 (partial) · OWASP-Web 1 (full) · STIG oracle linux 9 1 (mostly) · STIG rhel 9 1 (mostly)
OWASP Top 10 for Web (2025)
This weakness contributes to A04:2025 Cryptographic Failures.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-12 | Cryptographic Key Establishment and Management | SC | Key generation under controlled management uses approved random-bit sources rather than insufficiently random values. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2019-5420 | 8.0 | 9.8 | 0.9214 | 2019-03-27 |
CVE-2021-34646 | 8.0 | 9.8 | 0.5087 | 2021-08-30 |
CVE-2008-2433 | 7.0 | 9.8 | 0.1093 | 2008-08-27 |
CVE-2008-3612 | 7.0 | 9.8 | 0.0352 | 2008-09-11 |
CVE-2016-5100 | 7.0 | 9.8 | 0.0192 | 2017-02-13 |
CVE-2017-6026 | 7.0 | 9.1 | 0.3182 | 2017-06-30 |
CVE-2017-7902 | 7.0 | 9.8 | 0.0256 | 2017-06-30 |
CVE-2017-7905 | 7.0 | 9.8 | 0.0128 | 2017-06-30 |
CVE-2017-16924 | 7.0 | 9.8 | 0.0876 | 2018-02-19 |
CVE-2018-16239 | 7.0 | 9.8 | 0.0123 | 2018-08-30 |
CVE-2018-17888 | 7.0 | 9.8 | 0.2964 | 2018-10-12 |
CVE-2018-18375 | 7.0 | 9.8 | 0.0130 | 2018-10-16 |
CVE-2018-18531 | 7.0 | 9.8 | 0.0147 | 2018-10-19 |
CVE-2018-18602 | 7.0 | 9.8 | 0.0143 | 2018-12-31 |
CVE-2019-0007 | 7.0 | 9.3 | 0.0173 | 2019-01-15 |
CVE-2019-0729 | 7.0 | 9.8 | 0.0313 | 2019-03-05 |
CVE-2019-9898 | 7.0 | 9.8 | 0.0394 | 2019-03-21 |
CVE-2019-9863 | 7.0 | 9.8 | 0.0215 | 2019-03-27 |
CVE-2019-7667 | 7.0 | 9.8 | 0.0450 | 2019-07-01 |
CVE-2019-15130 | 7.0 | 9.8 | 0.0240 | 2019-08-18 |
CVE-2019-2294 | 7.0 | 9.8 | 0.0091 | 2019-09-30 |
CVE-2013-4102 | 7.0 | 9.1 | 0.0197 | 2019-11-04 |
CVE-2014-6311 | 7.0 | 9.8 | 0.0167 | 2019-11-22 |
CVE-2019-16674 | 7.0 | 9.8 | 0.0187 | 2019-12-06 |
CVE-2020-1731 | 7.0 | 9.1 | 0.0128 | 2020-03-02 |