Reported

April 19, 2019

Issued

October 1, 2020 (last modified: October 19, 2021)

Package

rand_core (crates.io)

Type

INFO Unsound

Aliases

• GHSA-mmc9-pwm7-qj5w
• CVE-2020-25576

References

• https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06

CVSS Score

9.8 CRITICAL

CVSS Details

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Patched

• ^0.3.1
• >=0.4.2

Affected Functions

Version

rand_core::BlockRng::fill_bytes

• <0.4.2

rand_core::BlockRng::next_u64

• <0.4.2

Description

Affected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior.

The flaw was corrected by Ralf Jung and Diggory Hardy.

Advisory available under CC0-1.0 license.