Cyber Resilience

CVE-2026-3038

High

Published: 09 March 2026

Published
09 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3038 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-3038 is a stack buffer overflow vulnerability in the FreeBSD kernel's rtsock_msg_buffer() function, which serializes routing information by copying sockaddr structures into a sockaddr_storage structure on the stack. The function assumes the source sockaddr length field has been validated, but it has not, enabling a malicious userspace program to craft a request that triggers a 127-byte overflow. This immediately corrupts the stack canary for the function's stack frame, causing a kernel panic upon return. The issue carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-787 (Out-of-bounds Write).

An unprivileged userspace process can exploit the vulnerability by sending a specially crafted request to the routing socket, inducing the buffer overflow and stack canary corruption that results in a kernel panic and denial-of-service condition. The canary verification limits immediate impact to a crash, but the description notes that other kernel bugs enabling userspace disclosure of the canary value could allow attackers to defeat this mitigation and potentially achieve local privilege escalation.

The FreeBSD Security Advisory FreeBSD-SA-26:05.route provides details on mitigation and patches; see https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc.

EU & UK References

Vulnerability details

The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is…

more

not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Kernel stack buffer overflow allows unprivileged local process to trigger panic/DoS via crafted routing socket request (T1499.004 Application or System Exploitation); conditional LPE possible if canary bypassed with other bugs (T1068 Exploitation for Privilege Escalation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45253Same product: Freebsd Freebsd
CVE-2026-6386Same product: Freebsd Freebsd
CVE-2026-4652Same product: Freebsd Freebsd
CVE-2026-45251Same product: Freebsd Freebsd
CVE-2026-4247Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd
CVE-2026-39461Same product: Freebsd Freebsd
CVE-2026-45250Same product: Freebsd Freebsd
CVE-2026-7164Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3, 14.4, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses this CVE by applying patches to correct the unvalidated sockaddr length check in rtsock_msg_buffer(), preventing kernel panics from buffer overflows.

prevent

Information input validation ensures the sockaddr length field is checked and validated before copying into the stack buffer, directly preventing the 127-byte overflow.

prevent

Memory protection implements stack canaries and safeguards that detect and contain buffer overflows, limiting impact to kernel panic rather than potential privilege escalation.

References