Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).
An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
AnalysisAI
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Technical ContextAI
The libnv library in FreeBSD provides a name-value pair serialization mechanism used for IPC and capability mode communication. The vulnerability resides in libnv's socket data exchange routines that use select(2) for I/O multiplexing. The select(2) system call uses a fixed-size bitmap (fd_set) with a hardcoded limit of FD_SETSIZE (1024 descriptors on FreeBSD). When libnv passes a file descriptor number ≥1024 to FD_SET() without validation, it writes beyond the fd_set structure's bounds, corrupting adjacent stack memory. This is a classic CWE-121 stack-based buffer overflow. The attack vector requires forcing target applications to exhaust low-numbered file descriptors, pushing newly opened sockets into the >1024 range. Applications using libnv for privilege separation or running with setuid-root bits become privilege escalation targets. The CPE identifier cpe:2.3:a:freebsd:freebsd confirms this affects the core FreeBSD operating system distribution across multiple release branches.
RemediationAI
Apply vendor-released patches immediately via freebsd-update: FreeBSD 15.0 users upgrade to 15.0-RELEASE-p7, FreeBSD 14.4 to 14.4-RELEASE-p3, FreeBSD 14.3 to 14.3-RELEASE-p12, and FreeBSD 13.5 to 13.5-RELEASE-p13. Run 'freebsd-update fetch install' followed by system reboot to ensure patched libnv library is loaded by all processes. Source-based installations should sync to the appropriate stable branch (stable/15, stable/14, stable/13) and rebuild world per FreeBSD handbook procedures. If immediate patching is infeasible, implement compensating controls: audit and remove unnecessary setuid-root bits from binaries using 'find / -perm -4000 -user root' and apply least-privilege principles; configure resource limits via login.conf to restrict maxproc and openfiles for untrusted users, reducing file descriptor exhaustion attack surface (trade-off: may impact legitimate workloads requiring many descriptors); enable and monitor MAC framework policies (mac_bsdextended) to restrict local user interactions with privileged processes. These mitigations reduce but do not eliminate risk as they depend on correct identification of attack-exposed setuid binaries. Complete advisory with technical details and patch information at https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26356