{"ecosystem":"cargo","package":"rand_core","version":null,"bugs":[{"id":4488,"ecosystem":"cargo","package_name":"rand_core","affected_version":"0.6.0","fixed_version":"0.6.2","bug_id":"osv:RUSTSEC-2021-0023","title":"Incorrect check on buffer length when seeding RNGs","description":"Summary: rand_core::le::read_u32_into and read_u64_into have incorrect checks on the source buffer length, allowing the destination buffer to be under-filled.\n\nImplications: some downstream RNGs, including Hc128Rng (but not the more widely used ChaCha*Rng), allow seeding using the SeedableRng::from_seed trait-function with too short keys.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/rand_core","labels":["CVE-2021-27378","GHSA-w7j2-35mf-95p7"],"created_at":"2026-04-26 03:01:02.406787+00:00","updated_at":"2026-04-26 03:01:02.406787+00:00"},{"id":4487,"ecosystem":"cargo","package_name":"rand_core","affected_version":"0.4.0-0","fixed_version":"0.4.2","bug_id":"osv:RUSTSEC-2019-0035","title":"Unaligned memory access","description":"Affected versions of this crate violated alignment when casting byte slices to\ninteger slices, resulting in undefined behavior.\n\nThe flaw was corrected by Ralf Jung and Diggory Hardy.","severity":"medium","status":"fixed","source":"osv","source_url":"https://crates.io/crates/rand_core","labels":["CVE-2020-25576","GHSA-mmc9-pwm7-qj5w"],"created_at":"2026-04-26 03:01:02.403240+00:00","updated_at":"2026-04-26 03:01:02.403240+00:00"},{"id":4486,"ecosystem":"cargo","package_name":"rand_core","affected_version":"0.6.0","fixed_version":"0.6.2","bug_id":"osv:GHSA-w7j2-35mf-95p7","title":"Incorrect check on buffer length in rand_core","description":"An issue was discovered in the rand_core crate before 0.6.2 for Rust. Because `read_u32_into` and `read_u64_into` mishandle certain buffer-length checks, a random number generator may be seeded with too little data. The vulnerability was introduced in v0.6.0. The advisory doesn't apply to earlier minor version numbers.\n\nBecause read_u32_into and read_u64_into mishandle certain buffer-length checks, a random number generator may be seeded with too little data.","severity":"critical","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-27378","labels":["CVE-2021-27378","RUSTSEC-2021-0023"],"created_at":"2026-04-26 03:01:02.398606+00:00","updated_at":"2026-04-26 03:01:02.398606+00:00"},{"id":4485,"ecosystem":"cargo","package_name":"rand_core","affected_version":"0.4.0","fixed_version":"0.4.2","bug_id":"osv:GHSA-mmc9-pwm7-qj5w","title":"Unaligned memory access in rand_core","description":"### Impact\nAffected versions of this crate violated alignment when casting byte slices to integer slices, resulting in undefined behavior. `rand_core::BlockRng::next_u64` and `rand_core::BlockRng::fill_bytes` are affected.\n\n### Patches\nThe flaw was corrected by Ralf Jung and Diggory Hardy for `rand_core >= 0.4.2`.\n\n### Workarounds\nNone.\n\n### References\nSee [Rand's changelog](https://github.com/rust-random/rand/blob/master/rand_core/CHANGELOG.md#050---2019-06-06).\n\n### For more information\nIf you have any questions or comments about this advisory, [open an issue in the Rand repository](https://github.com/rust-random/rand/issues/new/choose).\n\n","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/rust-random/rand/security/advisories/GHSA-mmc9-pwm7-qj5w","labels":["CVE-2020-25576","RUSTSEC-2019-0035"],"created_at":"2026-04-26 03:01:02.386468+00:00","updated_at":"2026-04-26 03:01:02.386468+00:00"}],"total":4,"_cache":"hit"}