rustsec-2025-0142
Vulnerability from osv_rustsec
The function mnl::cb_run is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.
Passing a crafted byte slice to mnl::cb_run can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.
This vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.
The underlying issue is a bug in libmnl where during validation nlh->nlmsg_len is cast to an int and becomes negative if nlmsg_len is greater than INT_MAX. This causes the validation to succeed even if the buffer is too small for the message. This has been fixed in libmnl but still affects version 1.0.5.
The issue in mnl was fixed in commit cd51bdc by checking the validity of netlink messages passed to mnl::cb_run.
{
"affected": [
{
"database_specific": {
"categories": [
"memory-corruption"
],
"cvss": null,
"informational": null
},
"ecosystem_specific": {
"affected_functions": null,
"affects": {
"arch": [],
"functions": [],
"os": []
}
},
"package": {
"ecosystem": "crates.io",
"name": "mnl",
"purl": "pkg:cargo/mnl"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0-0"
},
{
"fixed": "0.3.1"
}
],
"type": "SEMVER"
}
],
"versions": []
}
],
"aliases": [
"GHSA-585q-cm62-757j"
],
"database_specific": {
"license": "CC0-1.0"
},
"details": "The function `mnl::cb_run` is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.\n\nPassing a crafted byte slice to `mnl::cb_run` can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.\n\nThis vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.\n\nThe underlying issue is a bug in `libmnl` where during validation `nlh-\u003enlmsg_len` is cast to an `int` and becomes negative if `nlmsg_len` is greater than `INT_MAX`. This causes the validation to succeed even if the buffer is too small for the message. This has been fixed in `libmnl` but still affects version 1.0.5.\n\nThe issue in `mnl` was fixed in commit `cd51bdc` by checking the validity of netlink messages passed to `mnl::cb_run`.",
"id": "RUSTSEC-2025-0142",
"modified": "2026-02-10T13:23:41Z",
"published": "2025-10-18T12:00:00Z",
"references": [
{
"type": "PACKAGE",
"url": "https://crates.io/crates/mnl"
},
{
"type": "ADVISORY",
"url": "https://rustsec.org/advisories/RUSTSEC-2025-0142.html"
},
{
"type": "REPORT",
"url": "https://github.com/mullvad/mnl-rs/issues/15"
}
],
"related": [],
"severity": [],
"summary": "Segmentation fault and invalid memory read in `mnl::cb_run`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.