CVE-2026-3038
Published: 09 March 2026
Summary
CVE-2026-3038 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-3038 is a stack buffer overflow vulnerability in the FreeBSD kernel's rtsock_msg_buffer() function, which serializes routing information by copying sockaddr structures into a sockaddr_storage structure on the stack. The function assumes the source sockaddr length field has been validated, but it has not, enabling a malicious userspace program to craft a request that triggers a 127-byte overflow. This immediately corrupts the stack canary for the function's stack frame, causing a kernel panic upon return. The issue carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-787 (Out-of-bounds Write).
An unprivileged userspace process can exploit the vulnerability by sending a specially crafted request to the routing socket, inducing the buffer overflow and stack canary corruption that results in a kernel panic and denial-of-service condition. The canary verification limits immediate impact to a crash, but the description notes that other kernel bugs enabling userspace disclosure of the canary value could allow attackers to defeat this mitigation and potentially achieve local privilege escalation.
The FreeBSD Security Advisory FreeBSD-SA-26:05.route provides details on mitigation and patches; see https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10334
Vulnerability details
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is…
more
not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel stack buffer overflow allows unprivileged local process to trigger panic/DoS via crafted routing socket request (T1499.004 Application or System Exploitation); conditional LPE possible if canary bypassed with other bugs (T1068 Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses this CVE by applying patches to correct the unvalidated sockaddr length check in rtsock_msg_buffer(), preventing kernel panics from buffer overflows.
Information input validation ensures the sockaddr length field is checked and validated before copying into the stack buffer, directly preventing the 127-byte overflow.
Memory protection implements stack canaries and safeguards that detect and contain buffer overflows, limiting impact to kernel panic rather than potential privilege escalation.