CVE-2026-39461

8.8 HIGH

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become av...

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-121

Affected products

Vendor	Product
freebsd	freebsd

Description

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-39461
[Vendor advisory]https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc

Related CVEs

Same vendor

CVE-2026-45255 — When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) t... (7.5 HIGH)
CVE-2026-45254 — In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "a... (6.5 MEDIUM)
CVE-2026-45253 — ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls (8.4 HIGH)
CVE-2026-45252 — When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retriev... (5.5 MEDIUM)
CVE-2026-45251 — A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor (7.8 HIGH)

Same CWE

CVE-2026-10829 — A stack-based buffer overflow vulnerability has been found in the NPort W2150A-W4/W2250A-W4 Series version 1.5 and earlier
CVE-2026-7273 — A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allo... (8.8 HIGH)
CVE-2025-55660 — A stack overflow in the gf_opus_read_length function (media_tools/av_parsers.c) of GPAC MP4Box v2.4 allows attackers to cause a Denial of... (5.5 MEDIUM)
CVE-2026-8356 — LibreOffice can import presentations in the legacy binary PPT format
CVE-2026-12222 — A vulnerability was determined in Yealink SIP-T46U 108.86.0.118 (8.0 HIGH)