CVE-2026-3038
Published: 09 March 2026
Summary
CVE-2026-3038 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel stack buffer overflow allows unprivileged local process to trigger panic/DoS via crafted routing socket request (T1499.004 Application or System Exploitation); conditional LPE possible if canary bypassed with other bugs (T1068 Exploitation for Privilege Escalation).
NVD Description
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is…
more
not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
Deeper analysisAI
CVE-2026-3038 is a stack buffer overflow vulnerability in the FreeBSD kernel's rtsock_msg_buffer() function, which serializes routing information by copying sockaddr structures into a sockaddr_storage structure on the stack. The function assumes the source sockaddr length field has been validated, but it has not, enabling a malicious userspace program to craft a request that triggers a 127-byte overflow. This immediately corrupts the stack canary for the function's stack frame, causing a kernel panic upon return. The issue carries a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-787 (Out-of-bounds Write).
An unprivileged userspace process can exploit the vulnerability by sending a specially crafted request to the routing socket, inducing the buffer overflow and stack canary corruption that results in a kernel panic and denial-of-service condition. The canary verification limits immediate impact to a crash, but the description notes that other kernel bugs enabling userspace disclosure of the canary value could allow attackers to defeat this mitigation and potentially achieve local privilege escalation.
The FreeBSD Security Advisory FreeBSD-SA-26:05.route provides details on mitigation and patches; see https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc.
Details
- CWE(s)