Skip to main content

FreeBSD libnv CVE-2026-39457

| EUVDEUVD-2026-26356 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-30 freebsd
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 14:24 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.8 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 09:00 euvd
EUVD-2026-26356
Analysis Generated
Apr 30, 2026 - 09:00 vuln.today
CVE Published
Apr 30, 2026 - 08:01 nvd
HIGH 7.8

DescriptionCVE.org

When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).

An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.

AnalysisAI

Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.

Technical ContextAI

The libnv library in FreeBSD provides a name-value pair serialization mechanism used for IPC and capability mode communication. The vulnerability resides in libnv's socket data exchange routines that use select(2) for I/O multiplexing. The select(2) system call uses a fixed-size bitmap (fd_set) with a hardcoded limit of FD_SETSIZE (1024 descriptors on FreeBSD). When libnv passes a file descriptor number ≥1024 to FD_SET() without validation, it writes beyond the fd_set structure's bounds, corrupting adjacent stack memory. This is a classic CWE-121 stack-based buffer overflow. The attack vector requires forcing target applications to exhaust low-numbered file descriptors, pushing newly opened sockets into the >1024 range. Applications using libnv for privilege separation or running with setuid-root bits become privilege escalation targets. The CPE identifier cpe:2.3:a:freebsd:freebsd confirms this affects the core FreeBSD operating system distribution across multiple release branches.

RemediationAI

Apply vendor-released patches immediately via freebsd-update: FreeBSD 15.0 users upgrade to 15.0-RELEASE-p7, FreeBSD 14.4 to 14.4-RELEASE-p3, FreeBSD 14.3 to 14.3-RELEASE-p12, and FreeBSD 13.5 to 13.5-RELEASE-p13. Run 'freebsd-update fetch install' followed by system reboot to ensure patched libnv library is loaded by all processes. Source-based installations should sync to the appropriate stable branch (stable/15, stable/14, stable/13) and rebuild world per FreeBSD handbook procedures. If immediate patching is infeasible, implement compensating controls: audit and remove unnecessary setuid-root bits from binaries using 'find / -perm -4000 -user root' and apply least-privilege principles; configure resource limits via login.conf to restrict maxproc and openfiles for untrusted users, reducing file descriptor exhaustion attack surface (trade-off: may impact legitimate workloads requiring many descriptors); enable and monitor MAC framework policies (mac_bsdextended) to restrict local user interactions with privileged processes. These mitigations reduce but do not eliminate risk as they depend on correct identification of attack-exposed setuid binaries. Complete advisory with technical details and patch information at https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-39457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy