Tom Thorogood

**Name of the Vulnerable Software and Affected Versions** CIRCL versions prior to 1.3.3 **Description** The issue arises from insufficient input validation and lack of measures to neutralize instructions in dynamically executed code in the `crypto/rand.Read()` function. This could lead to a predictable shared secret in rare deployment cases where an error is thrown by the `Read()` function. Additionally, the `tkn20` and `blindrsa` components did not check if enough randomness was returned from the user-provided randomness source, typically `crypto/rand.Reader`. If the source does not return the right number of random bytes, the blinding for `blindrsa` is weak, and the integrity of the plaintext is not ensured in `tkn20`. **Recommendations** For versions prior to 1.3.3, update to CIRCL version 1.3.3 to resolve the issue. As a temporary workaround, consider disabling the use of `crypto/rand.Read()` until a patch is available. Restrict access to the `tkn20` and `blindrsa` components to minimize the risk of exploitation. Avoid using user-provided randomness sources that may not return the correct number of random bytes.