RUSTSEC-2025-0142

See a problem?
Please try reporting it to the source first.
Source
https://rustsec.org/advisories/RUSTSEC-2025-0142
Import Source
https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0142.json
JSON Data
https://api.osv.dev/v1/vulns/RUSTSEC-2025-0142
Aliases
Published
2025-10-18T12:00:00Z
Modified
2026-02-10T13:31:44.174348Z
Summary
Segmentation fault and invalid memory read in `mnl::cb_run`
Details

The function mnl::cb_run is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.

Passing a crafted byte slice to mnl::cb_run can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.

This vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.

The underlying issue is a bug in libmnl where during validation nlh->nlmsg_len is cast to an int and becomes negative if nlmsg_len is greater than INT_MAX. This causes the validation to succeed even if the buffer is too small for the message. This has been fixed in libmnl but still affects version 1.0.5.

The issue in mnl was fixed in commit cd51bdc by checking the validity of netlink messages passed to mnl::cb_run.

Database specific 
{
    "license": "CC0-1.0"
}
References

Affected packages

crates.io / mnl

Package

Name
mnl
View open source insights on deps.dev
Purl
pkg:cargo/mnl

Affected ranges

Type
SEMVER
Events
Introduced
0.0.0-0
Fixed
0.3.1

Ecosystem specific 

{
    "affects": {
        "functions": [],
        "arch": [],
        "os": []
    },
    "affected_functions": null
}

Database specific

source 
"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0142.json"
informational 
null
cvss 
null
categories 
[
    "memory-corruption"
]