Skip to content

Commit 2e73708

Browse files
committed
1 parent 3779452 commit 2e73708

2 files changed

Lines changed: 39 additions & 1 deletion

File tree

latest-id.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
2026-15
1+
2026-16
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
id: MNBSD-2026-16
2+
summary: select(2) file descriptor set overflow causes stack overflow
3+
details: |
4+
libcasper(3) communicates with helper processes via UNIX domain sockets, and
5+
uses the select(2) system call to wait for data to become available.
6+
However, it does not verify that its socket descriptor fits within
7+
select(2)'s descriptor set size limit of FD_SETSIZE (1024).
8+
9+
An attacker able to cause an application using libcasper(3) to allocate large
10+
file descriptors, e.g., by opening many descriptors and executing a program
11+
which is not careful to close them upon startup, may trigger stack
12+
corruption. If the target application runs with setuid root privileges, this
13+
could be used to escalate local privileges.
14+
affected:
15+
- package:
16+
name: libcasper
17+
ecosystem: MidnightBSD
18+
ranges:
19+
- type: ECOSYSTEM
20+
events:
21+
- introduced: "4.0.0"
22+
- fixed: "4.0.6"
23+
versions:
24+
- 4.0.0
25+
- 4.0.1
26+
- 4.0.2
27+
- 4.0.3
28+
- 4.0.4
29+
- 4.0.5
30+
references:
31+
- type: WEB
32+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:22.libcasper.asc
33+
- type: WEB
34+
url: https://www.cve.org/CVERecord?id=CVE-2026-39461
35+
aliases:
36+
- CVE-2026-39461
37+
modified: "2026-05-20T12:00:00Z"
38+
published: "2026-05-20T12:00:00Z"

0 commit comments

Comments
 (0)