Stack overflow via select() file descriptor set overflow
Summary
| CVE | CVE-2026-39457 |
|---|---|
| State | PUBLISHED |
| Assigner | freebsd |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-30 09:16:03 UTC |
| Updated | 2026-04-30 09:16:03 UTC |
| Description | When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. |
Risk And Classification
Problem Types: CWE-121 | CWE-121 CWE-121: Stack-based Buffer Overflow
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | FreeBSD | FreeBSD | affected 15.0-RELEASE p7 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 14.4-RELEASE p3 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 14.3-RELEASE p12 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 13.5-RELEASE p13 release | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc | [email protected] | security.freebsd.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Joshua Rogers of AISLE Research Team (en)
There are currently no legacy QID mappings associated with this CVE.