Skip to main content

FreeBSD libnv CVE-2026-35547

| EUVDEUVD-2026-26355 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-30 freebsd
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Analysis Updated
May 01, 2026 - 16:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 01, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
May 01, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
May 01, 2026 - 16:22 NVD
9.1 (CRITICAL) 8.1 (HIGH)
Analysis Generated
Apr 30, 2026 - 14:23 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
9.1 (CRITICAL)
EUVD ID Assigned
Apr 30, 2026 - 09:00 euvd
EUVD-2026-26355
Analysis Generated
Apr 30, 2026 - 09:00 vuln.today
CVE Published
Apr 30, 2026 - 08:08 nvd
HIGH 8.1

DescriptionCVE.org

When processing the header of an incoming message, libnv failed to properly validate the message size.

The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.

AnalysisAI

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.

Technical ContextAI

The vulnerability resides in libnv (name-value pairs library), a FreeBSD system library used for serializing and deserializing structured data in messages between processes and across network boundaries. The flaw is a heap-based buffer overflow (CWE-122) occurring during message header parsing. When libnv processes incoming messages, it fails to validate the declared message size against the actual heap buffer allocation before copying data. This classic bounds-checking failure allows writing beyond allocated memory regions. The affected CPE (cpe:2.3:a:freebsd:freebsd) indicates this is a core OS component affecting multiple major FreeBSD releases. Heap overflows in system libraries are particularly dangerous because they execute with the privileges of the calling process and can be triggered from both local and remote contexts depending on how the library is invoked.

RemediationAI

Apply FreeBSD security patches immediately through freebsd-update or rebuild from patched sources. Upgrade to FreeBSD 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, or 15.0-RELEASE-p7 or later as documented in FreeBSD-SA-26:17.libnv (https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc). For systems where immediate patching is infeasible, implement network-level compensating controls by identifying and restricting exposure of services that process untrusted libnv messages-use firewall rules to limit network access to only trusted sources for affected services. Note that identifying which services use libnv may require code review or process monitoring (lsof, dtrace), as many FreeBSD system services potentially invoke this library. Restricting network access will prevent remote exploitation but does not mitigate local privilege escalation risk from malicious authenticated users. Test patches in non-production environments first, as system library updates may require service restarts or system reboot for full effectiveness.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-35547 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy