Wiz
Vulnerability DatabaseGHSA-cq8v-f236-94qc

GHSA-cq8v-f236-94qc
Rust vulnerability analysis and mitigation

It has been reported (by @lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

  • The log and thread_rng features are enabled
  • A custom logger is defined
  • The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
  • The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
  • Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict. Affected versions of rand are >= 0.7, < 0.9.3 and 0.10.0.

SourceNVD

Related Rust vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-40323HIGH8.9
  • RustRust
  • sp1_prover
NoYesApr 14, 2026
CVE-2026-40093HIGH8.1
  • RustRust
  • nimiq-blockchain
NoNoApr 09, 2026
CVE-2026-34069MEDIUM5.3
  • RustRust
  • nimiq-consensus
NoNoApr 14, 2026
GHSA-cq8v-f236-94qcLOWN/A
  • RustRust
  • rand
NoYesApr 14, 2026
RUSTSEC-2026-0098N/AN/A
  • RustRust
  • rustls-webpki
NoYesApr 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo