Rust rand Library v0.10.1 Patches Critical Soundness Vulnerability (GHSA-cq8v-f236-94qc)

A critical soundness vulnerability in the widely used Rust `rand` library has been patched in version 0.10.1. The flaw, tracked as GHSA-cq8v-f236-94qc, is a library unsoundness issue, meaning safe Rust code using the public API could trigger undefined behavior (UB). This type of vulnerability is particularly severe in Rust's safety-focused ecosystem, as it undermines the core language guarantees that prevent memory corruption and crashes.

The vulnerability manifests under a specific but plausible set of conditions. It requires the `log` and `thread_rng` features to be enabled, a custom logger to be defined, and for that logger to access `rand::rng()` (formerly `rand::thread_rng()`) and call `TryRng` methods on the `ThreadRng` handle. The undefined behavior occurs if the `ThreadRng` attempts to reseed itself while being called from within the logger's context. This scenario creates a concurrency hazard that breaks Rust's safety invariants.

The update from version 0.10.0 to 0.10.1 addresses this flaw. Developers using the `rand` crate with the implicated features must update their dependencies immediately to mitigate the risk of undefined behavior in their applications. The patch highlights the ongoing challenge of ensuring soundness in complex, feature-rich libraries, even within Rust's strict compile-time safety framework. Failure to update leaves applications vulnerable to unpredictable crashes or memory corruption stemming from this library-level unsoundness.