Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
When processing the header of an incoming message, libnv failed to properly validate the message size.
The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
AnalysisAI
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Technical ContextAI
The vulnerability resides in libnv (name-value pairs library), a FreeBSD system library used for serializing and deserializing structured data in messages between processes and across network boundaries. The flaw is a heap-based buffer overflow (CWE-122) occurring during message header parsing. When libnv processes incoming messages, it fails to validate the declared message size against the actual heap buffer allocation before copying data. This classic bounds-checking failure allows writing beyond allocated memory regions. The affected CPE (cpe:2.3:a:freebsd:freebsd) indicates this is a core OS component affecting multiple major FreeBSD releases. Heap overflows in system libraries are particularly dangerous because they execute with the privileges of the calling process and can be triggered from both local and remote contexts depending on how the library is invoked.
RemediationAI
Apply FreeBSD security patches immediately through freebsd-update or rebuild from patched sources. Upgrade to FreeBSD 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, or 15.0-RELEASE-p7 or later as documented in FreeBSD-SA-26:17.libnv (https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc). For systems where immediate patching is infeasible, implement network-level compensating controls by identifying and restricting exposure of services that process untrusted libnv messages-use firewall rules to limit network access to only trusted sources for affected services. Note that identifying which services use libnv may require code review or process monitoring (lsof, dtrace), as many FreeBSD system services potentially invoke this library. Restricting network access will prevent remote exploitation but does not mitigate local privilege escalation risk from malicious authenticated users. Test patches in non-production environments first, as system library updates may require service restarts or system reboot for full effectiveness.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26355