Which versions of Sliver are affected by CVE-2026-29781?

Organizations using Sliver should be aware of notable risk from CVE-2026-29781, a null pointer dereference vulnerability rated CVSS 6.5.

Is there a public PoC exploit available for CVE-2026-29781?

Yes, a public proof-of-concept exploit is available for CVE-2026-29781. Prioritise patching immediately. EPSS: 0.1%.

Sliver CVE-2026-29781

Q: What is the CVSS score of CVE-2026-29781?

CVE-2026-29781 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

NULL Pointer Dereference (CWE-476)

2026-03-07 security-advisories@github.com

GHSA-hx52-cv84-jr5v

Denial Of Service Null Pointer Dereference

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

6.5 (MEDIUM) 2.1 (LOW)

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 11, 2026 - 21:59 vuln.today

Public exploit code

CVE Published

Mar 07, 2026 - 16:15 nvd

MEDIUM 6.5

DescriptionNVD

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.

AnalysisAI

Sliver C2 server versions 1.7.3 and earlier can be remotely crashed by authenticated attackers who craft malformed Protobuf messages that exploit missing nil-pointer validation in the unmarshalling logic. Public exploit code exists for this vulnerability, which causes a denial of service affecting all active implant sessions across the entire infrastructure, as the mTLS, WireGuard, and DNS transports lack panic recovery mechanisms. …

RemediationAI

Within 30 days: Identify affected systems running versions from 1.7.3 and and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-29781 vulnerability details – vuln.today

Back