Skip to main content

illumos dld EUVDEUVD-2026-45034

| CVE-2026-15449 MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-07-16 illumos GHSA-5jqp-7hrf-w792
5.8
CVSS 4.0 · Vendor: illumos
Share

Severity by source

Vendor (illumos) PRIMARY
5.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Race condition requires winning a kernel TOCTOU timing window (AC:H); low-privilege local account suffices (PR:L); kernel heap corruption enables scope change beyond the user process boundary (S:C).

3.1 AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (illumos).

CVSS VectorVendor: illumos

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 16, 2026 - 20:22 vuln.today
Analysis Generated
Jul 16, 2026 - 20:22 vuln.today
CVE Published
Jul 16, 2026 - 19:27 cve.org
MEDIUM 5.8

DescriptionCVE.org

A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.

AnalysisAI

Kernel heap corruption in the illumos data-link pseudo-driver (dld) allows an unprivileged local user - including one confined to a non-global zone that owns a datalink - to panic the system or potentially escalate privileges. The flaw in drv_ioc_prop_common() exploits a classic double-copyin TOCTOU race on the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls: the kernel sizes its heap allocation from pr_valsize on the first copyin but re-reads the entire ioctl struct from the same user address a second time, allowing a concurrent thread to enlarge pr_valsize between the two reads and overflow the under-sized buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain low-privilege local account
Delivery
Open /dev/dld, obtain datalink ioctl access
Exploit
Spawn concurrent thread to race pr_valsize modification
Execution
Win TOCTOU between kernel's two copyin calls
Persist
Overflow undersized kernel heap buffer
Impact
Corrupt kernel heap, trigger panic or escalate privileges

Vulnerability AssessmentAI

Exploitation Exploitation requires a local account on an illumos-based system with sufficient privilege to open /dev/dld and issue DLDIOC_GETMACPROP or DLDIOC_SETMACPROP ioctls; this access is available to an unprivileged local user including one confined to a non-global zone provided that zone has been granted datalink ownership by the administrator (a common configuration in SmartOS and Triton multi-tenant deployments). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H) and score of 5.8 accurately represent the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user or zone administrator on a SmartOS compute node opens /dev/dld and prepares a DLDIOC_SETMACPROP ioctl buffer in shared user-space memory, then spawns a concurrent thread that continuously writes an inflated value to pr_valsize while the main thread submits the ioctl repeatedly. When the race is won - pr_valsize is enlarged after the kernel allocates the heap buffer but before the second ddi_copyin() reads the full structure - the kernel writes more data than the buffer can hold, corrupting adjacent heap objects. …
Remediation The primary fix is available as illumos-gate commit 6959feb5b430411a4809b06c53dcdb42fb525eac (https://github.com/illumos/illumos-gate/commit/6959feb5b430411a4809b06c53dcdb42fb525eac); this is an upstream source commit rather than a tagged release, so the exact patched release version is not independently confirmed for illumos-gate, OmniOS, or SmartOS - administrators should monitor https://illumos.org/issues/18020 and their respective vendor release channels for downstream packages incorporating this change. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy