Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Race condition requires winning a kernel TOCTOU timing window (AC:H); low-privilege local account suffices (PR:L); kernel heap corruption enables scope change beyond the user process boundary (S:C).
Primary rating from Vendor (illumos).
CVSS VectorVendor: illumos
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.
AnalysisAI
Kernel heap corruption in the illumos data-link pseudo-driver (dld) allows an unprivileged local user - including one confined to a non-global zone that owns a datalink - to panic the system or potentially escalate privileges. The flaw in drv_ioc_prop_common() exploits a classic double-copyin TOCTOU race on the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls: the kernel sizes its heap allocation from pr_valsize on the first copyin but re-reads the entire ioctl struct from the same user address a second time, allowing a concurrent thread to enlarge pr_valsize between the two reads and overflow the under-sized buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local account on an illumos-based system with sufficient privilege to open /dev/dld and issue DLDIOC_GETMACPROP or DLDIOC_SETMACPROP ioctls; this access is available to an unprivileged local user including one confined to a non-global zone provided that zone has been granted datalink ownership by the administrator (a common configuration in SmartOS and Triton multi-tenant deployments). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H) and score of 5.8 accurately represent the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged user or zone administrator on a SmartOS compute node opens /dev/dld and prepares a DLDIOC_SETMACPROP ioctl buffer in shared user-space memory, then spawns a concurrent thread that continuously writes an inflated value to pr_valsize while the main thread submits the ioctl repeatedly. When the race is won - pr_valsize is enlarged after the kernel allocates the heap buffer but before the second ddi_copyin() reads the full structure - the kernel writes more data than the buffer can hold, corrupting adjacent heap objects. … |
| Remediation | The primary fix is available as illumos-gate commit 6959feb5b430411a4809b06c53dcdb42fb525eac (https://github.com/illumos/illumos-gate/commit/6959feb5b430411a4809b06c53dcdb42fb525eac); this is an upstream source commit rather than a tagged release, so the exact patched release version is not independently confirmed for illumos-gate, OmniOS, or SmartOS - administrators should monitor https://illumos.org/issues/18020 and their respective vendor release channels for downstream packages incorporating this change. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Illumos Gate
View allRemote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet
illumos illumos-gate before 676abcb has a stack buffer overflow in /dev/net, leading to privilege escalation via a stat
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45034
GHSA-5jqp-7hrf-w792