Out-of-Bounds Affecting rand package, versions >=0.7.0-pre.0 <0.9.3>=0.10.0-rc.0 <0.10.1
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUST-RAND-16073005
- published15 Apr 2026
- disclosed9 Apr 2026
- creditRyan Lopopolo
Introduced: 9 Apr 2026
New CVE NOT AVAILABLE CWE-119 (opens in a new tab)How to fix?
Upgrade rand to version 0.9.3, 0.10.1 or higher.
Overview
Affected versions of this package are vulnerable to Out-of-Bounds in the TryRng methods when the log and thread_rng features are enabled, a custom logger is defined, and the custom logger accesses rand::rng() and calls any TryRng methods on ThreadRng. If ThreadRng attempts to reseed while called from the custom logger, and trace-level logging is enabled or warn-level logging is enabled while the random source cannot provide a new seed, this can result in an aliased mutable reference. An attacker can trigger undefined behavior by causing the construction of aliased mutable references through these conditions.