fix(deps): address multiple issues in slab and docker and get_disjoint_mut #772
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description Changes
This request fixes two security vulnerabilities identified in third-party dependencies and core networking behavior, ensuring safer memory access and container isolation across environments.
1. Fix: Out-of-Bounds Access in
slab
(get_disjoint_mut
) — CVE-2025-55159In
slab
v0.4.10, theget_disjoint_mut
method performed an incorrect bounds check by validating indices against the slab’s capacity rather than its length.This flaw could allow access to uninitialized memory, potentially leading to undefined behavior, memory corruption, or process crashes.
Resolution:
This fix prevents unintended access to invalid or uninitialized slots in the slab, thereby eliminating a potential source of memory safety issues.
2. Fix: Bridge Network Isolation Lost After Firewalld Reload — CVE-2025-54410
When
firewalld
is reloaded (e.g., viafirewall-cmd --reload
,killall -HUP firewalld
, orsystemctl reload firewalld
), Docker’s iptables rules are temporarily removed and expected to be re-created.In affected Docker versions, however, the iptables rules responsible for isolating containers in different bridge networks were not restored after a reload.
As a result, containers attached to non-internal bridge networks could gain unintended access to any port on any other container connected to those networks.
Resolution:
firewalld
reload events.--internal
) and rootless modes remain unaffected.This fix restores proper container isolation after firewalld reloads, preventing unauthorized inter-container communication and reinforcing Docker’s network boundary guarantees.
This patch improves security and stability by:
slab
library (get_disjoint_mut
method).firewalld
reloads in Docker Engine.Both fixes align with secure coding practices and follow the recommendations from their respective CVEs (CVE-2025-55159 and CVE-2025-54410).
References
slab
crategodoc
comments.Files changed
in the GitHub PR explorer.SonarCloud Report
in the comment section below once CI passes.