RUSTSEC-2025-0132

Reader::open_mmap unsoundly marks unsafe memmap operation as safe

Reported

November 28, 2025

Issued

November 29, 2025

Package

maxminddb (crates.io)

Type

Vulnerability

Categories

memory-corruption

Keywords

#mmap

References

https://github.com/oschwald/maxminddb-rust/issues/86
https://github.com/oschwald/maxminddb-rust/commit/98f0e4fff9678c841ed33f3b8a46322f6163c32a

Patched

>=0.27.0

Unaffected

<0.11.0

Affected Functions

Version

maxminddb::Reader::open

<0.12.0, >=0.11.0

maxminddb::Reader::open_mmap

<0.27.0, >=0.11.0

Description

maxminddb prior to version 0.27 declared Reader::open_mmap as safe despite wrapping an inherently unsafe memmap2 operation with no extra step done to guarantee safety. This could have led to undefined behaviour if the file were to be modified on disk while the memory map was still active.

Advisory available under CC0-1.0 license.