I’m guessing a bug in pre-authentication code.
A post auth bug! Well, I guess the buggy code is technically pre auth, but from the description it sounds like the vulnerability is limited to one authenticated user messing with another authenticated user. i.e., it’s “only” a problem for shared database servers.
PRNG (predictable random number generator) for the not win. Again.
More than one bug being fixed?