RustSec flags rand unsoundness when logging triggers thread-local reseeding

RustSec has flagged a rare but serious soundness bug in rand, warning that a custom logger can push thread-local reseeding into undefined behavior when the right features are enabled at the same time. The advisory, RUSTSEC-2026-0097, was reported on April 9 and issued on April 11, 2026, and it classified the issue as INFO / Unsound.

The failure pattern is narrow but real. A project had to enable both the log and thread_rng features, define a custom logger, and then have that logger call rand::rng() or the older rand::thread_rng() while also using TryRng or RngCore-style methods on ThreadRng. Under that setup, ThreadRng could try to reseed from inside the logger itself, which happens every 64 kB of generated data. The advisory said that if the logger was active at trace level, or at warn level when the random source could not supply a new seed, the reseed path could be triggered right inside logging.

That is where the trust gap opened. The unsafe code inside ThreadRng could cast a mutable pointer in a way that produced aliased mutable references, violating Rust’s Stacked Borrows rules and crossing into undefined behavior. Miri could detect the violation in sample code, but the advisory warned that optimized builds became hard to predict once UB entered the picture. In other words, safe application code could inherit a correctness hazard through an API boundary that looked ordinary on the surface.

The affected versions were rand >= 0.7 and < 0.9.3, plus rand 0.10.0. Patched releases were listed as rand >= 0.9.3 and >= 0.10.1, while versions below 0.7.0 were unaffected. The upstream fix was tied to rust-random/rand pull request #1763, and rand’s changelog for 0.10.1 noted that it included a fix for a soundness bug.

The advisory quickly spread across the ecosystem. GitLab’s advisory database mirrored it, along with Wiz and CIRCL, and issue bots in projects including Wasmtime, Cloudflare Pingora, and Tauri picked it up soon after. For teams that rely on custom structured logging, especially in servers or agents that generate large amounts of random data during startup or telemetry-heavy work, the lesson was blunt: Rust’s type system does not eliminate the need for disciplined unsafe code inside core crates, and crate interactions can still surprise even careful codebases.