GHSA-2fjw-whxm-9v4q: libnftnl has Heap-based Buffer Overflow in nftnl::Batch::with_page_size (nftnl-rs)

November 25, 2025 (updated December 1, 2025)

A heap-buffer-overflow vulnerability exists in the Rust wrapper for libnftnl, triggered via the nftnl::Batch::with_page_size constructor. When a small or malformed page size is provided, the underlying C code allocates an insufficient buffer, leading to out-of-bounds writes during batch initialization.

The flaw was fixed in commit 94a286f by adding an overflow check:

batch_page_size
.checked_add(crate::nft_nlmsg_maxsize())
.expect("batch_page_size is too large and would overflow");

References

github.com/advisories/GHSA-2fjw-whxm-9v4q
github.com/mullvad/nftnl-rs
github.com/mullvad/nftnl-rs/commit/94a286f87e88f431913d19668246de9006790125
github.com/mullvad/nftnl-rs/issues/76
rustsec.org/advisories/RUSTSEC-2025-0126.html

Code Behaviors & Features

Detect and mitigate GHSA-2fjw-whxm-9v4q with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →