{"id":"RUSTSEC-2025-0142","summary":"Segmentation fault and invalid memory read in `mnl::cb_run`","details":"The function `mnl::cb_run` is marked as safe but exhibits unsound behavior when processing malformed Netlink message buffers.\n\nPassing a crafted byte slice to `mnl::cb_run` can trigger memory violations. The function does not sufficiently validate the input buffer structure before processing, leading to out-of-bounds reads.\n\nThis vulnerability allows an attacker to cause a Denial of Service (segmentation fault) or potentially read unmapped memory by providing a malformed Netlink message.\n\nThe underlying issue is a bug in `libmnl` where during validation `nlh-\u003enlmsg_len` is cast to an `int` and becomes negative if `nlmsg_len` is greater than `INT_MAX`. This causes the validation to succeed even if the buffer is too small for the message. This has been fixed in `libmnl` but still affects version 1.0.5.\n\nThe issue in `mnl` was fixed in commit `cd51bdc` by checking the validity of netlink messages passed to `mnl::cb_run`.","aliases":["GHSA-585q-cm62-757j"],"modified":"2026-02-10T13:31:44.174348Z","published":"2025-10-18T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/mnl"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2025-0142.html"},{"type":"REPORT","url":"https://github.com/mullvad/mnl-rs/issues/15"}],"affected":[{"package":{"name":"mnl","ecosystem":"crates.io","purl":"pkg:cargo/mnl"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.3.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2025-0142.json","informational":null,"cvss":null,"categories":["memory-corruption"]}}],"schema_version":"1.7.3"}