select(2) file descriptor set overflow causes stack overflow

CVE	CVE-2026-39461
State	PUBLISHED
Assigner	freebsd
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-21 10:16:25 UTC
Updated	2026-05-21 19:01:35 UTC
Description	libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

Primary CVSS: v3.1 8.8 HIGH from ADP

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS: 0.000060000 probability, percentile 0.004460000 (date 2026-05-27)

Problem Types: CWE-121 | CWE-121 CWE-121: Stack-based Buffer Overflow

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	8.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	8.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Freebsd	Freebsd	14.3	-	All	All
Operating System	Freebsd	Freebsd	14.3	p1	All	All
Operating System	Freebsd	Freebsd	14.3	p10	All	All
Operating System	Freebsd	Freebsd	14.3	p11	All	All
Operating System	Freebsd	Freebsd	14.3	p12	All	All
Operating System	Freebsd	Freebsd	14.3	p13	All	All
Operating System	Freebsd	Freebsd	14.3	p2	All	All
Operating System	Freebsd	Freebsd	14.3	p3	All	All
Operating System	Freebsd	Freebsd	14.3	p4	All	All
Operating System	Freebsd	Freebsd	14.3	p5	All	All
Operating System	Freebsd	Freebsd	14.3	p6	All	All
Operating System	Freebsd	Freebsd	14.3	p7	All	All
Operating System	Freebsd	Freebsd	14.3	p8	All	All
Operating System	Freebsd	Freebsd	14.3	p9	All	All
Operating System	Freebsd	Freebsd	14.4	-	All	All
Operating System	Freebsd	Freebsd	14.4	p1	All	All
Operating System	Freebsd	Freebsd	14.4	p2	All	All
Operating System	Freebsd	Freebsd	14.4	p3	All	All
Operating System	Freebsd	Freebsd	14.4	p4	All	All
Operating System	Freebsd	Freebsd	14.4	rc1	All	All
Operating System	Freebsd	Freebsd	15.0	-	All	All
Operating System	Freebsd	Freebsd	15.0	p1	All	All
Operating System	Freebsd	Freebsd	15.0	p2	All	All
Operating System	Freebsd	Freebsd	15.0	p3	All	All
Operating System	Freebsd	Freebsd	15.0	p4	All	All
Operating System	Freebsd	Freebsd	15.0	p5	All	All
Operating System	Freebsd	Freebsd	15.0	p6	All	All
Operating System	Freebsd	Freebsd	15.0	p7	All	All
Operating System	Freebsd	Freebsd	15.0	p8	All	All

Source	Vendor	Product	Version	Platforms
CNA	FreeBSD	FreeBSD	affected 15.0-RELEASE p9 release	Not specified
CNA	FreeBSD	FreeBSD	affected 14.4-RELEASE p5 release	Not specified
CNA	FreeBSD	FreeBSD	affected 14.3-RELEASE p14 release	Not specified

Reference	Source	Link	Tags
security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc	[email protected]	security.freebsd.org	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Joshua Rogers of AISLE Research Team (en)

There are currently no legacy QID mappings associated with this CVE.