Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Affecting triton-vm package, versions >=0.41.0 <2.0.0

Q: How to fix?

Upgrade triton-vm to version 2.0.0 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-RUST-TRITONVM-15091550
published25 Jan 2026
disclosed21 Jan 2026
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 21 Jan 2026

NewCWE-338 (opens in a new tab)

How to fix?

Upgrade triton-vm to version 2.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) due to improper sampling of randomness in the FRI sub-protocol. An attacker can undermine the integrity of the verification process by crafting proofs for arbitrary statements that are accepted as valid by the verifier. This is only exploitable if the protocol relies on the supplied verifier implementation and does not implement its own verifier.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None