GHSA-585q-cm62-757j

Source

https://github.com/advisories/GHSA-585q-cm62-757j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-585q-cm62-757j/GHSA-585q-cm62-757j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-585q-cm62-757j

Aliases

RUSTSEC-2025-0142

Published

2026-01-09T19:53:23Z

Modified

2026-02-10T16:30:09.738803Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

mnl has segmentation fault and invalid memory read in `mnl::cb_run`

Details

The function mnl::cb_run is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.

Passing a crafted byte slice to mnl::cb_run can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.

This vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-125"
    ],
    "severity": "LOW",
    "github_reviewed_at": "2026-01-09T19:53:23Z",
    "nvd_published_at": null
}

References

Affected packages

crates.io / mnl

Package

Name: mnl; View open source insights on deps.dev
Purl: pkg:cargo/mnl

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-585q-cm62-757j/GHSA-585q-cm62-757j.json"

last_known_affected_version_range

"<= 0.3.0"