CVE-2020-35926: Improper random number generation in nanorand

August 25, 2021 (updated June 13, 2023)

In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure ChaCha random number generator.

References

github.com/Absolucy/nanorand-rs
github.com/Absolucy/nanorand-rs/commit/5ba218ac29df4786b002d7d12b47fa0c04a331f2
github.com/advisories/GHSA-m9m5-cg5h-r582
nvd.nist.gov/vuln/detail/CVE-2020-35926
rustsec.org/advisories/RUSTSEC-2020-0089.html
twitter.com/aspenluxxxy/status/1336684692284772352

Code Behaviors & Features

Detect and mitigate CVE-2020-35926 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →