Intel

AIKIDO-2026-875754

rand is vulnerable to Deserialization of Untrusted Data

Deserialization of Untrusted Data Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

37

Low Risk

This Affects:

RUSTrand
0.8.0 - 0.10.1
Fixed in 0.10.2
Are you affected? Scan for Free

TL;DR

The UniformChar distribution in rand stores an inner UniformInt<u32> sampler and, when the serde feature is enabled, derives Deserialize for it. Deserializing a UniformChar from untrusted input bypasses the validating constructors, so the sampler can carry a range whose output exceeds the valid Unicode scalar range. Sampling such a distribution then reaches an unchecked char conversion that produces an invalid char, causing undefined behavior and a memory safety violation. The fix validates the sampler range during deserialization and rejects samplers whose maximum output exceeds the valid char range.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you deserialize a UniformChar distribution from untrusted input with the serde feature enabled.

Background info

rand is vulnerable to Deserialization of Untrusted Data in versions 0.8.0 - 0.10.1.

How to fix this

Upgrade the rand library to the patch version.