CVE-2009-3238

Name: CVE-2009-3238
Creator: NVD / NIST
Published: 2009-09-18T10:30:01.267+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 1.63%

Last modified Jun 16, 2026

CVE-2009-3238 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time.". EPSS estimates a 1.63% chance of exploitation in the next 30 days.

Description

The get_random_int function in drivers/char/random.c in the Linux kernel before 2.6.30 produces insufficiently random numbers, which allows attackers to predict the return value, and possibly defeat protection mechanisms based on randomization, via vectors that leverage the function's tendency to "return the same value over and over again for long stretches of time."

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.63%

73.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-338

Affected Software

Vendor	Product	Versions	Update
Linux	Linux Kernel	< 2.6.30	—
Canonical	Ubuntu Linux	6.06	—
Canonical	Ubuntu Linux	8.04	—
Canonical	Ubuntu Linux	8.10	—
Canonical	Ubuntu Linux	9.04	—
Opensuse	Opensuse	11.0	—
Suse	Linux Enterprise Desktop	10	Sp2
Suse	Linux Enterprise Server	10	Sp2

References

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.htmlMailing List
http://patchwork.kernel.org/patch/21766/Broken Link, Patch
http://secunia.com/advisories/37105Broken Link
http://secunia.com/advisories/37351Broken Link
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30Broken Link, Exploit, Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2009-1438.htmlBroken Link
http://www.ubuntu.com/usn/USN-852-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=499785Issue Tracking, Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=519692Issue Tracking, Permissions Required
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11168Broken Link
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03836en_usThird Party Advisory
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02Broken Link
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.htmlMailing List
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.htmlMailing List
http://patchwork.kernel.org/patch/21766/Broken Link, Patch
http://secunia.com/advisories/37105Broken Link
http://secunia.com/advisories/37351Broken Link
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30Broken Link, Exploit, Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2009-1438.htmlBroken Link
http://www.ubuntu.com/usn/USN-852-1Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=499785Issue Tracking, Permissions Required
https://bugzilla.redhat.com/show_bug.cgi?id=519692Issue Tracking, Permissions Required
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11168Broken Link
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03836en_usThird Party Advisory

Timeline

Published: Sep 18, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-3238?

How severe is CVE-2009-3238?

CVE-2009-3238 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 1.63% probability of exploitation in the next 30 days.

How do I fix CVE-2009-3238?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-3238?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST