Update Rust crate rand to v0.8.6 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rand (source)	dev-dependencies	patch	0.8.5 → 0.8.6
rand (source)	dependencies	patch	0.8.5 → 0.8.6

---

Rand is unsound with a custom logger using rand::rng()

GHSA-cq8v-f236-94qc

More information

Details

It has been reported (by @​lopopolo) that the rand library is unsound (i.e. that safe code using the public API can cause Undefined Behaviour) when all the following conditions are met:

• The log and thread_rng features are enabled
• A custom logger is defined
• The custom logger accesses rand::rng() (previously rand::thread_rng()) and calls any TryRng (previously RngCore) methods on ThreadRng
• The ThreadRng (attempts to) reseed while called from the custom logger (this happens every 64 kB of generated data)
• Trace-level logging is enabled or warn-level logging is enabled and the random source (the getrandom crate) is unable to provide a new seed

TryRng (previously RngCore) methods for ThreadRng use unsafe code to cast *mut BlockRng<ReseedingCore> to &mut BlockRng<ReseedingCore>. When all the above conditions are met this results in an aliased mutable reference, violating the Stacked Borrows rules. Miri is able to detect this violation in sample code. Since construction of aliased mutable references is Undefined Behaviour, the behaviour of optimized builds is hard to predict.

Severity

Low

References

• https://github.com/rust-random/rand/pull/1763
• https://rustsec.org/advisories/RUSTSEC-2026-0097.html
• https://github.com/advisories/GHSA-cq8v-f236-94qc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

rust-random/rand (rand)

v0.8.6

Compare Source

What's Changed

This release back-ports a fix from v0.10. See also #​1763.

Changes

• Deprecate feature log (#​1772)

• Drop the experimental simd_support feature.

New Contributors

• @​nwalfield made their first contribution in #​1772

Full Changelog: rust-random/rand@0.8.5...0.8.6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[xtqqczze]

Duplicate of #73

[xtqqczze]

GHSA-cq8v-f236-94qc tracked by #70

[codspeed-hq]

Merging this PR will not alter performance

✅ 20 untouched benchmarks
⏩ 9 skipped benchmarks¹

---

_{Comparing renovate/crate-rand-vulnerability (af60664) with main (aaeab12)}

Footnotes

1. 9 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[xtqqczze]

Duplicate of #78