diff --git a/ext/random/engine_mt19937.c b/ext/random/engine_mt19937.c
index 8940430a69f79..a84fb9585c806 100644
--- a/ext/random/engine_mt19937.c
+++ b/ext/random/engine_mt19937.c
@@ -389,11 +389,11 @@ PHP_METHOD(Random_Engine_Mt19937, __debugInfo)
 
 	if (engine->engine.algo->serialize) {
 		array_init(&t);
+		zend_hash_str_add(Z_ARR_P(return_value), "__states", strlen("__states"), &t);
 		if (!engine->engine.algo->serialize(engine->engine.state, Z_ARRVAL(t))) {
 			zend_throw_exception(NULL, "Engine serialize failed", 0);
 			RETURN_THROWS();
 		}
-		zend_hash_str_add(Z_ARR_P(return_value), "__states", strlen("__states"), &t);
 	}
 }
 /* }}} */
diff --git a/ext/random/engine_xoshiro256starstar.c b/ext/random/engine_xoshiro256starstar.c
index c26297a5f9301..8dd0156dcb2dd 100644
--- a/ext/random/engine_xoshiro256starstar.c
+++ b/ext/random/engine_xoshiro256starstar.c
@@ -149,6 +149,10 @@ static bool unserialize(void *state, HashTable *data)
 		}
 	}
 
+	if (UNEXPECTED(s->state[0] == 0 && s->state[1] == 0 && s->state[2] == 0 && s->state[3] == 0)) {
+		return false;
+	}
+
 	return true;
 }
 
diff --git a/ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt b/ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt
new file mode 100644
index 0000000000000..6ebcd03e85704
--- /dev/null
+++ b/ext/random/tests/02_engine/xoshiro256starstar_unserialize_zero_state.phpt
@@ -0,0 +1,14 @@
+--TEST--
+GH-21731: Xoshiro256StarStar::__unserialize() must reject the all-zero state
+--FILE--
+<?php
+
+try {
+    var_dump(unserialize('O:32:"Random\Engine\Xoshiro256StarStar":2:{i:0;a:0:{}i:1;a:4:{i:0;s:16:"0000000000000000";i:1;s:16:"0000000000000000";i:2;s:16:"0000000000000000";i:3;s:16:"0000000000000000";}}'));
+} catch (\Exception $e) {
+    echo $e->getMessage(), PHP_EOL;
+}
+
+?>
+--EXPECT--
+Invalid serialization data for Random\Engine\Xoshiro256StarStar object