RustSec Advisories

RUSTSEC-2026-0097: Unsoundness in rand

2026-04-11T12:00:00+00:00

RUSTSEC-2026-0097

Rand is unsound with a custom logger using rand::rng()

Reported

April 9, 2026

Issued

April 11, 2026

Package

rand (crates.io)

Type

INFO Unsound

References

https://github.com/rust-random/rand/pull/1763

Patched

>=0.10.1
<0.10.0, >=0.9.3

Unaffected

<0.7.0

Affected Functions

Version

rand::rng

>=0.9.0

rand::thread_rng

<0.10.0, >=0.7.0

Description

It has been reported (by @lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

The log and thread_rng features are enabled
A custom logger is defined
The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Affected versions of rand are >= 0.7, < 0.9.3 and 0.10.0.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0095: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0095

Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83

CVSS Score

9 CRITICAL

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: High
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: High
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0092: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0092

Panic when transcoding misaligned component model UTF-16 strings

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: Low
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Passive
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Patched

>=24.0.7, <25.0.0
>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jxhv-7h78-9775 For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0089: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0089

Host panic when Winch compiler executes table.fill

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw

CVSS Score

5.9 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Passive
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-q49f-xg75-m9xw For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0096: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0096

Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w

CVSS Score

9 CRITICAL

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: High
Confidentiality Impact to the Subsequent System: High
Integrity Impact to the Subsequent System: High
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: High
Integrity Impact to the Vulnerable System: High

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0090: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0090

Use-after-free bug after cloning wasmtime::Linker

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2

CVSS Score

1 LOW

CVSS Details

Attack Complexity: High
Attack Requirements: Present
Attack Vector: Physical
Privileges Required: High
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Active
Availability Impact to the Vulnerable System: Low
Confidentiality Impact to the Vulnerable System: Low
Integrity Impact to the Vulnerable System: Low

CVSS Vector

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Patched

>=43.0.1

Unaffected

<43.0.0

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hfr4-7c6c-48w2 For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0088: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0088

Data leakage between pooling allocator instances

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p

CVSS Score

2.3 LOW

CVSS Details

Attack Complexity: High
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: Low
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: Low
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-6wgr-89rj-399p For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0093: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0093

Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv

CVSS Score

6.9 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: None
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Passive
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=24.0.7, <25.0.0
>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-hx6p-xpx3-jvvv For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0094: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0094

Improperly masked return value from table.grow with Winch compiler backend

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7

CVSS Score

6.1 MEDIUM

CVSS Details

Attack Complexity: High
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: Low
Integrity Impact to the Vulnerable System: Low

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-f984-pcp8-v2p7 For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0086: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0086

Host data leakage with 64-bit tables and Winch

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946

CVSS Score

2.3 LOW

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: Low
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: None
Confidentiality Impact to the Vulnerable System: Low
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Patched

>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m9w2-8782-2946 For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0091: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0091

Out-of-bounds write or crash when transcoding component model strings

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm

CVSS Score

6.1 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Network
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: None
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: Low
Integrity Impact to the Vulnerable System: Low

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Patched

>=24.0.7, <25.0.0
>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-394w-hwhg-8vgm For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0085: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0085

Panic when lifting flags component value

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq

CVSS Score

5.6 MEDIUM

CVSS Details

Attack Complexity: High
Attack Requirements: Present
Attack Vector: Network
Privileges Required: High
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Active
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=24.0.7, <25.0.0
>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-m758-wjhj-p3jq For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0087: Vulnerability in wasmtime

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0087

Wasmtime segfault or unused out-of-sandbox load with f64x2.splat operator on Cranelift x86-64

Reported

April 9, 2026

Issued

April 9, 2026

Package

wasmtime (crates.io)

Type

Vulnerability

Aliases

References

https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv

CVSS Score

4.1 MEDIUM

CVSS Details

Attack Complexity: Low
Attack Requirements: Present
Attack Vector: Local
Privileges Required: Low
Availability Impact to the Subsequent System: None
Confidentiality Impact to the Subsequent System: None
Integrity Impact to the Subsequent System: None
User Interaction: Active
Availability Impact to the Vulnerable System: High
Confidentiality Impact to the Vulnerable System: None
Integrity Impact to the Vulnerable System: None

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Patched

>=24.0.7, <25.0.0
>=36.0.7, <37.0.0
>=42.0.2, <43.0.0
>=43.0.1

Description

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-qqfj-4vcm-26hv For more information see the GitHub-hosted security advisory.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0084: Vulnerability in logprinter

2026-04-09T12:00:00+00:00

RUSTSEC-2026-0084

logprinter was removed from crates.io for malicious code

Reported

April 9, 2026

Issued

April 9, 2026

Package

logprinter

Type

Vulnerability

References

https://socket.dev/supply-chain-attacks/north-korea-s-contagious-interview-campaign

Patched

no patched versions

Description

The crate downloaded code from an external HTTP endpoint and executed it within its trace() fn.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0082: zantetsu-ffi is unmaintained

2026-04-08T12:00:00+00:00

RUSTSEC-2026-0082

zantetsu-ffi is unmaintained

Reported

April 7, 2026

Issued

April 8, 2026

Package

zantetsu-ffi (crates.io)

Type

INFO Unmaintained

References

https://github.com/enrell/psyche/issues/1

Patched

no patched versions

Description

The zantetsu-ffi crate is no longer maintained. The Node.js, Python, and C FFI bindings it provided were removed as part of the zantetsu 0.2 release, which refocused the project on its core Rust library.

A tombstone version (0.2.0) has been published and 0.1.4 has been yanked. There is no replacement for zantetsu-ffi.

Migration

If you were using zantetsu-ffi for anime filename parsing, no direct equivalent is available. If your project is Rust-based, switch to zantetsu 0.2.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0083: zantetsu-trainer is unmaintained

2026-04-08T12:00:00+00:00

RUSTSEC-2026-0083

zantetsu-trainer is unmaintained

Reported

April 7, 2026

Issued

April 8, 2026

Package

zantetsu-trainer (crates.io)

Type

INFO Unmaintained

References

https://github.com/enrell/psyche/issues/1

Patched

no patched versions

Description

The zantetsu-trainer crate is no longer maintained. The ML training infrastructure it contained was removed as part of the zantetsu 0.2 release, which replaced the neural parser with a pure heuristic engine.

A tombstone version (0.2.0) has been published and 0.1.4 has been yanked. There is no replacement for zantetsu-trainer.

Migration

If you were using zantetsu-trainer as part of a zantetsu-based filename parsing pipeline, switch to zantetsu 0.2, which requires no training step.

Advisory available under CC0-1.0 license.

RUSTSEC-2026-0081: logtrace contained malicious code

2026-04-05T12:00:00+00:00

RUSTSEC-2026-0081

logtrace was removed from crates.io for malicious code

Reported

April 5, 2026

Issued

April 5, 2026

Package

logtrace

Type

Vulnerability

Categories

malicious

Patched

no patched versions

Description

logtrace appeared to be downloading a RAT.

The malicious crate had 2 versions published on 2026-04-01 that had a total of 30 downloads. There were no crates depending on this crate on crates.io.

Thanks to Socket.dev for detecting and reporting this to the crates.io team!

Advisory available under CC0-1.0 license.