{"id":"RUSTSEC-2025-0126","summary":"Heap-buffer-overflow in nftnl::Batch::with_page_size (nftnl-rs)","details":"A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a small or malformed page size is provided, the underlying C code allocates an insufficient buffer, leading to out-of-bounds writes during batch initialization.\n\nThe flaw was fixed in commit 94a286f by adding an overflow check:\n```Rust\nbatch_page_size\n    .checked_add(crate::nft_nlmsg_maxsize())\n    .expect(\"batch_page_size is too large and would overflow\");\n```\n\n## Mitigation\n\nUpgrade to version `0.9.0` or later, which aborts instead.","aliases":["GHSA-2fjw-whxm-9v4q"],"modified":"2025-11-27T22:04:51.875660Z","published":"2025-10-18T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/nftnl"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0126.html"},{"type":"REPORT","url":"https://github.com/mullvad/nftnl-rs/issues/76#issue-3528876468"}],"affected":[{"package":{"name":"nftnl","ecosystem":"crates.io","purl":"pkg:cargo/nftnl"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.9.0"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"functions":[],"arch":[],"os":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0126.json","cvss":null,"informational":null,"categories":["memory-corruption"]}}],"schema_version":"1.7.3"}