CVE-2026-39461

UNKNOWN 0.0

select(2) file descriptor set overflow causes stack overflow

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

CWE	CWE-121
Vendor	freebsd
Product	freebsd
Published	May 21, 2026

Stay Ahead of the Next One

Get instant alerts for freebsd freebsd

Be the first to know when new unknown vulnerabilities affecting freebsd freebsd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FreeBSD / FreeBSD

15.0-RELEASE < p9 14.4-RELEASE < p5 14.3-RELEASE < p14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.freebsd.org: https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc

Credits

Joshua Rogers of AISLE Research Team