Skip to content

Conversation

odaysec
Copy link

@odaysec odaysec commented Oct 17, 2025

Description Changes

This request fixes two security vulnerabilities identified in third-party dependencies and core networking behavior, ensuring safer memory access and container isolation across environments.

1. Fix: Out-of-Bounds Access in slab (get_disjoint_mut) — CVE-2025-55159

In slab v0.4.10, the get_disjoint_mut method performed an incorrect bounds check by validating indices against the slab’s capacity rather than its length.
This flaw could allow access to uninitialized memory, potentially leading to undefined behavior, memory corruption, or process crashes.

Resolution:

  • Corrected the index validation logic to ensure checks are performed against the slab’s current length.
  • Prevented out-of-bounds mutable access to uninitialized memory regions.
  • Ensured safer memory handling and consistent API behavior under all edge cases.

This fix prevents unintended access to invalid or uninitialized slots in the slab, thereby eliminating a potential source of memory safety issues.

2. Fix: Bridge Network Isolation Lost After Firewalld Reload — CVE-2025-54410

When firewalld is reloaded (e.g., via firewall-cmd --reload, killall -HUP firewalld, or systemctl reload firewalld), Docker’s iptables rules are temporarily removed and expected to be re-created.
In affected Docker versions, however, the iptables rules responsible for isolating containers in different bridge networks were not restored after a reload.
As a result, containers attached to non-internal bridge networks could gain unintended access to any port on any other container connected to those networks.

Resolution:

  • Implemented logic to detect and reapply isolation rules upon firewalld reload events.
  • Ensured that cross-bridge container communication remains properly restricted.
  • Confirmed that internal networks (--internal) and rootless modes remain unaffected.

This fix restores proper container isolation after firewalld reloads, preventing unauthorized inter-container communication and reinforcing Docker’s network boundary guarantees.

This patch improves security and stability by:

  • Ensuring memory-safe access in the slab library (get_disjoint_mut method).
  • Maintaining strict bridge network isolation even after firewalld reloads in Docker Engine.

Both fixes align with secure coding practices and follow the recommendations from their respective CVEs (CVE-2025-55159 and CVE-2025-54410).

References

  • Linked to GitHub issue with discussion and accepted design, OR link to spec that describes this work.
  • Wrote unit and integration tests.
  • Added relevant natspec and godoc comments.
  • Provide a conventional commit message to follow the repository standards.
  • Re-reviewed Files changed in the GitHub PR explorer.
  • Review SonarCloud Report in the comment section below once CI passes.

@odaysec odaysec requested a review from srdtrk as a code owner October 17, 2025 10:00
@srdtrk
Copy link
Member

srdtrk commented Oct 21, 2025

We generally update these dependencies before releasing

@srdtrk srdtrk closed this Oct 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants