RUSTSEC-2025-0126

Heap-buffer-overflow in nftnl::Batch::with_page_size (nftnl-rs)

Reported

October 18, 2025

Issued

November 25, 2025 (last modified: November 27, 2025)

Package

nftnl (crates.io)

Type

Vulnerability

Categories

memory-corruption

Aliases

GHSA-2fjw-whxm-9v4q

References

https://github.com/mullvad/nftnl-rs/issues/76#issue-3528876468

Patched

>=0.9.0

Description

A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a small or malformed page size is provided, the underlying C code allocates an insufficient buffer, leading to out-of-bounds writes during batch initialization.

The flaw was fixed in commit 94a286f by adding an overflow check:

batch_page_size
    .checked_add(crate::nft_nlmsg_maxsize())
    .expect("batch_page_size is too large and would overflow");

Mitigation

Upgrade to version 0.9.0 or later, which aborts instead.

Advisory available under CC0-1.0 license.