CVE-2026-39457
Published: 30 April 2026
Summary
CVE-2026-39457 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of inputs like socket file descriptors to ensure they are within acceptable limits such as FD_SETSIZE, directly preventing the stack buffer overflow in libnv.
SI-16 enforces memory protections such as stack canaries, ASLR, and non-executable stack that mitigate exploitation of the stack-based buffer overflow even if input validation fails.
SI-2 mandates timely identification, reporting, and patching of flaws like CVE-2026-39457 in libnv, eliminating the vulnerability through remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in libnv allows local low-privileged attacker to trigger stack corruption via excessive file descriptors, enabling privilege escalation in setuid-root applications.
NVD Description
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is…
more
able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Deeper analysisAI
CVE-2026-39457 is a stack-based buffer overflow vulnerability in libnv, a library used for exchanging data over sockets. The flaw occurs because libnv invokes the select(2) system call to wait for incoming data without checking if the provided socket file descriptor exceeds the FD_SETSIZE limit of 1024, which can result in stack corruption when large descriptors are used.
A local attacker with low privileges can exploit this vulnerability by forcing a libnv application to allocate file descriptors beyond 1024, such as by opening many descriptors and then executing a program that does not properly close them on startup. This triggers the stack corruption. If the target application is setuid-root, the attacker can achieve local privilege escalation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-121 (Stack-based Buffer Overflow).
The FreeBSD Security Advisory FreeBSD-SA-26:16.libnv details this issue and is available at https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc. Security practitioners should review this advisory for guidance on mitigation and available patches.
Details
- CWE(s)