CVEFinder.io

CVE-2026-39461

⚠️ high
🔍 Scan for this CVE
Summary

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corr

Description

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).

An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

CVSS Score
8.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 81.1% of all 328,009 vulnerabilities in our database.

#62,016
Top 25% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 21, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Joshua Rogers of AISLE Research Team
SSVC data provided by CISA
Last Modified 2026-05-21
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-121

📦 Affected Products 3

Vendor Product Status Affected Versions
freebsd freebsd Affected
v14.3
freebsd freebsd Affected
v14.4
freebsd freebsd Affected
v15.0

🔗 References 1

https://security.freebsd.org/advisories/FreeBSD-SA-2...
Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-45250 ⚠️ high 7.8 0.0 The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is ... 2026-05-21
CVE-2026-45251 ⚠️ high 7.8 0.0 A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. B... 2026-05-21
CVE-2026-45252 🔶 medium 5.5 0.1 When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace ... 2026-05-21
CVE-2026-45253 ⚠️ high 8.4 0.0 ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a... 2026-05-21
CVE-2026-45254 🔶 medium 6.5 0.0 In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key ... 2026-05-21
CVE-2026-45255 ⚠️ high 7.5 0.0 When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and u... 2026-05-21
These CVEs affect the same products