Wasmtime GitHub notifications bot (Apr 12 2026 at 00:19): Wasmtime GitHub notifications bot (Apr 12 2026 at 00:19):github-actions[bot] opened issue #13057:
Rand is unsound with a custom logger using
rand::rng()
Details Status unsound Package randVersion 0.8.5URL https://github.com/rust-random/rand/pull/1763 Date 2026-04-09 It has been reported (by @lopopolo) that the
randlibrary is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:
- The
logandthread_rngfeatures are enabled- A custom logger is defined
- The custom logger accesses
rand::rng()(previouslyrand::thread_rng()) and calls anyTryRng(previouslyRngCore) methods onThreadRng- The
ThreadRng(attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)- Trace-level logging is enabled or warn-level logging is enabled and the random source (the
getrandomcrate) is unable to provide a new seed
TryRng(previouslyRngCore) methods forThreadRnguseunsafecode to cast*mut BlockRng<ReseedingCore>to&mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.Affected versions of
randare>= 0.7, < 0.9.3and0.10.0.See advisory page for additional details.
Last updated: Apr 12 2026 at 23:10 UTC