Skip to content

Commit 65539e8

Browse files
committed
add new advisories
1 parent a84f688 commit 65539e8

2 files changed

Lines changed: 41 additions & 1 deletion

File tree

latest-id.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
2026-12
1+
2026-13
Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
id: MNBSD-2026-13
2+
summary: Local DoS and possible privilege escalation via routing sockets
3+
details: |
4+
The rtsock_msg_buffer() function serializes routing information into a buffer.
5+
As a part of this, it copies sockaddr structures into a sockaddr_storage
6+
structure on the stack. It assumes that the source sockaddr length field had
7+
already been validated, but this is not necessarily the case, and it's possible
8+
for a malicious userspace program to craft a request which triggers a 127-byte
9+
overflow.
10+
11+
In practice, this overflow immediately overwrites the canary for the
12+
rtsock_msg_buffer() stack frame, resulting in a panic once the function
13+
returns.
14+
15+
The bug allows an unprivileged user to crash the kernel by triggering a stack
16+
buffer overflow in rtsock_msg_buffer(). In particular, the overflow will
17+
corrupt a stack canary value that is verified when the function returns; this
18+
mitigates the impact of the stack overflow by triggering a kernel panic.
19+
20+
Other kernel bugs may exist which allow userspace to find the canary value and
21+
thus defeat the mitigation, at which point local privilege escalation may be
22+
possible.
23+
affected:
24+
- package:
25+
name: kernel
26+
ecosystem: MidnightBSD
27+
ranges:
28+
- type: ECOSYSTEM
29+
events:
30+
- introduced: "0"
31+
- fixed: "4.0.4"
32+
references:
33+
- type: WEB
34+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:05.route.asc
35+
- type: WEB
36+
url: https://www.cve.org/CVERecord?id=CVE-2026-3038
37+
aliases:
38+
- CVE-2026-3038
39+
modified: "2026-02-24T12:00:00Z"
40+
published: "2026-02-24T12:00:00Z"

0 commit comments

Comments
 (0)