Skip to content

Rand is unsound with a custom logger using rand::rng()

Low severity GitHub Reviewed Published Apr 14, 2026 to the GitHub Advisory Database • Updated Apr 22, 2026

Package

cargo rand (Rust)

Affected versions

= 0.10.0
>= 0.9.0, < 0.9.3
>= 0.7.0, < 0.8.6

Patched versions

0.10.1
0.9.3
0.8.6

Description

It has been reported (by @lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

  • The log and thread_rng features are enabled
  • A custom logger is defined
  • The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
  • The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
  • Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

References

Published to the GitHub Advisory Database Apr 14, 2026
Reviewed Apr 14, 2026
Last updated Apr 22, 2026

Severity

Low

EPSS score

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-cq8v-f236-94qc

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.