CVE-2023-31290

Name: CVE-2023-31290
Creator: NVD / NIST
Published: 2023-04-27T05:15:08.807+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 0.98%

Last modified Jun 17, 2026

CVE-2023-31290 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. EPSS estimates a 0.98% chance of exploitation in the next 30 days.

Description

Trust Wallet Core before 3.1.1, as used in the Trust Wallet browser extension before 0.0.183, allows theft of funds because the entropy is 32 bits, as exploited in the wild in December 2022 and March 2023. This occurs because the mt19937 Mersenne Twister takes a single 32-bit value as an input seed, resulting in only four billion possible mnemonics. The affected versions of the browser extension are 0.0.172 through 0.0.182. To steal funds efficiently, an attacker can identify all Ethereum addresses created since the 0.0.172 release, and check whether they are Ethereum addresses that could have been created by this extension. To respond to the risk, affected users need to upgrade the product version and also move funds to a new wallet address.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Probability

0.98%

57.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Trustwallet	Trust Wallet Browser Extension	>= 0.0.172, < 0.0.183
Trustwallet	Trust Wallet Core	< 3.1.1

References

https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen/Exploit, Third Party Advisory
https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787Vendor Advisory
https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786Vendor Advisory
https://github.com/trustwallet/wallet-core/compare/3.1.0...3.1.1Patch
https://twitter.com/TrustWallet/status/1649699428733947906Third Party Advisory
https://blog.ledger.com/Funds-of-every-wallet-created-with-the-Trust-Wallet-browser-extension-could-have-been-stolen/Exploit, Third Party Advisory
https://community.trustwallet.com/t/browser-extension-wasm-vulnerability-postmortem/750787Vendor Advisory
https://community.trustwallet.com/t/wasm-vulnerability-incident-update-and-recommended-actions/750786Vendor Advisory
https://github.com/trustwallet/wallet-core/compare/3.1.0...3.1.1Patch
https://twitter.com/TrustWallet/status/1649699428733947906Third Party Advisory

Timeline

Published: Apr 27, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-31290?

How severe is CVE-2023-31290?

CVE-2023-31290 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.98% probability of exploitation in the next 30 days.

How do I fix CVE-2023-31290?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-31290?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST