CVE-2026-3038
Local DoS and possible privilege escalation via routing sockets
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
| CWE | CWE-787 |
| Vendor | freebsd |
| Product | freebsd |
| Published | Mar 9, 2026 |
| Last Updated | Mar 9, 2026 |
Get instant alerts for freebsd freebsd
Be the first to know when new high vulnerabilities affecting freebsd freebsd are published โ delivered to Slack, Telegram or Discord.