GHSA-cq8v-f236-94qc
ADVISORY - githubSummary
It has been reported (by @lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
- The
logandthread_rngfeatures are enabled - A custom logger is defined
- The custom logger accesses
rand::rng()(previouslyrand::thread_rng()) and calls anyTryRng(previouslyRngCore) methods onThreadRng - The
ThreadRng(attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data) - Trace-level logging is enabled or warn-level logging is enabled and the random source (the
getrandomcrate) is unable to provide a new seed
TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.
Affected versions of rand are >= 0.7, < 0.9.3 and 0.10.0.
Common Weakness Enumeration (CWE)
ADVISORY - github
Improper Input Validation
GitHub
CREATED
UPDATED
ADVISORY IDGHSA-cq8v-f236-94qc
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
N/AlowRustSec
CREATED
UPDATED
ADVISORY IDRUSTSEC-2026-0097
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-