CWE · MITRE source
CWE-326Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (5)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-12 | Cryptographic Key Establishment and Management | SC | Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm. |
SC-13 | Cryptographic Protection | SC | Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength. |
PM-15 | Security and Privacy Groups and Associations | PM | Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength. |
RA-4 | Risk Assessment Update | RA | Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers. |
SI-2 | Flaw Remediation | SI | Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2017-1000486 KEV | 9.6 | 9.8 | 0.9364 | 2018-01-03 |
CVE-2017-11317 KEV | 9.5 | 9.8 | 0.9197 | 2017-08-23 |
CVE-2018-15811 KEV | 9.1 | 7.5 | 0.9300 | 2019-07-03 |
CVE-2018-18325 KEV | 9.1 | 7.5 | 0.9296 | 2019-07-03 |
CVE-2014-0224 | 6.9 | 7.4 | 0.8969 | 2014-06-05 |
CVE-2013-2566 | 6.6 | 5.9 | 0.9076 | 2013-03-15 |
CVE-2017-14262 | 2.9 | 8.1 | 0.2102 | 2017-09-11 |
CVE-2024-52317 | 2.6 | 6.5 | 0.2107 | 2024-11-18 |
CVE-2024-36823 | 2.2 | 7.5 | 0.1182 | 2024-06-06 |
CVE-2018-20810 | 2.1 | 9.8 | 0.0154 | 2019-06-28 |
CVE-2024-52318 | 2.1 | 6.1 | 0.1547 | 2024-11-18 |
CVE-2016-5804 | 2.0 | 9.8 | 0.0018 | 2016-07-15 |
CVE-2017-8076 | 2.0 | 9.8 | 0.0042 | 2017-04-23 |
CVE-2017-7888 | 2.0 | 9.8 | 0.0016 | 2017-05-10 |
CVE-2017-7903 | 2.0 | 9.8 | 0.0023 | 2017-06-30 |
CVE-2017-7905 | 2.0 | 9.8 | 0.0020 | 2017-06-30 |
CVE-2017-7673 | 2.0 | 9.8 | 0.0040 | 2017-07-17 |
CVE-2014-9975 | 2.0 | 9.8 | 0.0003 | 2017-08-18 |
CVE-2015-0575 | 2.0 | 9.8 | 0.0006 | 2017-08-18 |
CVE-2018-7242 | 2.0 | 9.8 | 0.0025 | 2018-04-18 |
CVE-2018-15124 | 2.0 | 9.8 | 0.0035 | 2018-08-13 |
CVE-2018-0448 | 2.0 | 9.8 | 0.0108 | 2018-10-05 |
CVE-2019-10907 | 2.0 | 9.8 | 0.0016 | 2019-04-07 |
CVE-2019-15805 | 2.0 | 9.8 | 0.0023 | 2019-08-29 |
CVE-2019-15806 | 2.0 | 9.8 | 0.0023 | 2019-08-29 |