Skip to main content

FreeBSD libcasper EUVDEUVD-2026-31258

| CVE-2026-39461 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-05-21 freebsd GHSA-pwph-948j-pgvj
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 15:22 vuln.today
Severity Changed
May 21, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
May 21, 2026 - 15:22 NVD
5.1 (MEDIUM) 8.8 (HIGH)
CVE Published
May 21, 2026 - 09:20 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).

An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

AnalysisAI

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).

Technical ContextAI

libcasper(3) is FreeBSD's Capsicum-based privilege-separation framework that splits applications into a sandboxed main process and helper services communicating over UNIX domain sockets. The library uses the legacy select(2) syscall, whose fd_set bitmap is sized by the compile-time FD_SETSIZE constant (1024 on FreeBSD). When libcasper writes the socket file descriptor into the fd_set without first verifying fd < FD_SETSIZE, descriptor values >= 1024 cause writes past the bitmap's allocated bounds. This is a textbook CWE-121 stack-based buffer overflow, since the fd_set is typically declared as a stack-resident structure. The affected CPE is cpe:2.3:a:freebsd:freebsd, and any setuid-root binary linked against libcasper inherits the flaw.

RemediationAI

Vendor-released patch: apply the FreeBSD base-system updates to reach FreeBSD 15.0-RELEASE-p9, 14.4-RELEASE-p5, or 14.3-RELEASE-p14 as appropriate, using freebsd-update fetch install followed by a reboot or at minimum restart of all setuid-root services that link libcasper. The authoritative advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc provides the patch and source-tree commits. If patching is delayed, compensating controls include lowering the per-process file-descriptor limit via login.conf or sysctl (kern.maxfilesperproc) to a value safely below 1024 so attackers cannot force allocation above FD_SETSIZE - note this can break workloads that legitimately open many descriptors (database servers, network proxies). Auditing and temporarily removing the setuid bit from non-essential libcasper-linked binaries also blocks the privilege-escalation path at the cost of disabling those tools for unprivileged users.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

EUVD-2026-31258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy