FKIE_CVE-2026-3038

Vulnerability from fkie_nvd - Published: 2026-03-09 13:15 - Updated: 2026-03-09 17:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
References
secteam@freebsd.orghttps://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The rtsock_msg_buffer() function serializes routing information into a buffer.  As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack.  It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it\u0027s possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.\n\n In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.\n\nThe bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer().  In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.\n\nOther kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible."
    },
    {
      "lang": "es",
      "value": "La funci\u00f3n rtsock_msg_buffer() serializa informaci\u00f3n de enrutamiento en un b\u00fafer. Como parte de esto, copia estructuras sockaddr en una estructura sockaddr_storage en la pila. Asume que el campo de longitud de la sockaddr de origen ya hab\u00eda sido validado, pero este no es necesariamente el caso, y es posible que un programa malicioso en el espacio de usuario elabore una solicitud que desencadene un desbordamiento de 127 bytes.\n\nEn la pr\u00e1ctica, este desbordamiento sobrescribe inmediatamente el canario del marco de pila de rtsock_msg_buffer(), lo que resulta en un p\u00e1nico una vez que la funci\u00f3n regresa.\n\nEl error permite a un usuario sin privilegios bloquear el kernel al desencadenar un desbordamiento de b\u00fafer de pila en rtsock_msg_buffer(). En particular, el desbordamiento corromper\u00e1 un valor de canario de pila que se verifica cuando la funci\u00f3n regresa; esto mitiga el impacto del desbordamiento de pila al desencadenar un p\u00e1nico del kernel.\n\nOtros errores del kernel pueden existir que permitan al espacio de usuario encontrar el valor del canario y as\u00ed anular la mitigaci\u00f3n, momento en el que la escalada de privilegios local puede ser posible."
    }
  ],
  "id": "CVE-2026-3038",
  "lastModified": "2026-03-09T17:16:18.757",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-09T13:15:57.227",
  "references": [
    {
      "source": "secteam@freebsd.org",
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc"
    }
  ],
  "sourceIdentifier": "secteam@freebsd.org",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "secteam@freebsd.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.