Insufficient Entropy

CVE-2026-13199

Summary

A CWE-331: Insufficient Entropy in rpi-eeprom package at v28.13-1 on Raspberry Pi 5 and Compute Module 5 produces non-random KASLR and RNG seed values across reboots.

Impact

This issue allows a local attacker to guess Linux kernel base address and bypass the KASLR protection mechanism.

Issue Date

July 6, 2026

Affects

This issue affects rpi-eeprom package versions prior to 28.22-1 on Raspberry Pi 5 and Compute Module 5

CVE Name

CVE-2026-13199

CVSS Details

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

CVSS Score

5.1

Solution

To fix this issue, it is suggested to update the rpi-eeprom package to version 28.22-1 or later.

Mitigations

Acknowledgements

Gabriele Quagliarella at Nozomi Networks

Nozomi Threat Intelligence

Nozomi Networks Labs curates threat and vulnerability insights that are continuously fed into the Nozomi Networks platform to ensure our sensors can detect existing and emerging threats and vulnerabilities that threaten customers environments.

Learn more
Nozomi Networks Threat Intelligence dashboard showing pie charts of targeted industries, countries, and malware types, with detailed threat actor and vulnerability information below.

Latest Labs Blogs

Spring Botnet Floods: Golang Malware Targets Exposed IoT Systems

Read

The Hidden Match: What Cyber Defenders Should Expect at the World Cup

Read

Breaking the Trust Boundary: Privilege Escalation in a PLCnext Industrial Controller

Read
View All

Take the next step.

Discover how easy it is to identify and respond to cyber threats by automating your OT and IoT asset discovery, inventory, and management.