File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1- 2026-12
1+ 2026-13
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-13
2+ summary : Local DoS and possible privilege escalation via routing sockets
3+ details : |
4+ The rtsock_msg_buffer() function serializes routing information into a buffer.
5+ As a part of this, it copies sockaddr structures into a sockaddr_storage
6+ structure on the stack. It assumes that the source sockaddr length field had
7+ already been validated, but this is not necessarily the case, and it's possible
8+ for a malicious userspace program to craft a request which triggers a 127-byte
9+ overflow.
10+
11+ In practice, this overflow immediately overwrites the canary for the
12+ rtsock_msg_buffer() stack frame, resulting in a panic once the function
13+ returns.
14+
15+ The bug allows an unprivileged user to crash the kernel by triggering a stack
16+ buffer overflow in rtsock_msg_buffer(). In particular, the overflow will
17+ corrupt a stack canary value that is verified when the function returns; this
18+ mitigates the impact of the stack overflow by triggering a kernel panic.
19+
20+ Other kernel bugs may exist which allow userspace to find the canary value and
21+ thus defeat the mitigation, at which point local privilege escalation may be
22+ possible.
23+ affected :
24+ - package :
25+ name : kernel
26+ ecosystem : MidnightBSD
27+ ranges :
28+ - type : ECOSYSTEM
29+ events :
30+ - introduced : " 0"
31+ - fixed : " 4.0.4"
32+ references :
33+ - type : WEB
34+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:05.route.asc
35+ - type : WEB
36+ url : https://www.cve.org/CVERecord?id=CVE-2026-3038
37+ aliases :
38+ - CVE-2026-3038
39+ modified : " 2026-02-24T12:00:00Z"
40+ published : " 2026-02-24T12:00:00Z"
You can’t perform that action at this time.
0 commit comments