Description
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.

Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.

Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.

An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.

Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.

The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Published: 2026-03-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A programming error in the FreeBSD blocklistd daemon leads to an unreleased socket descriptor for each adverse event report. As the leaked sockets accumulate, the helper script first fails to execute and blocklistd can no longer block or unblock addresses. When the leak reaches a higher threshold, blocklistd stops accepting new adverse event reports. The resulting denial of service can be abused by forcing the daemon to run out of file descriptors, and it may also degrade overall system performance. Based on the description, an attacker may trigger a large number of adverse events from sacrificial IP addresses to force the leak and disable blocklistd.

Affected Systems

The affected product is the blocklistd daemon that ships with FreeBSD. The vulnerability impacts FreeBSD 15.0 and its patch releases p1 and p2. Any system running blocklistd on these versions without applying the accompanying security update is susceptible.

Risk and Exploitability

The CVSS base score of 7.5 classifies the flaw as high severity, but the EPSS score is below 1%, indicating a very low probability of exploitation at this time. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Attack precedence is implicit, as an adversary can abuse the socket exhaustion by flooding blocklistd with adverse event reports. The risk of a denial of service is therefore significant if the flaw is not patched.

Generated by OpenCVE AI on April 16, 2026 at 04:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeBSD to the latest patch that contains the blocklistd socket close fix, as documented in the FreeBSD security advisory.
  • Restart the blocklistd daemon after applying the update to clear any existing leaked sockets.
  • Implement monitoring of blocklistd’s file descriptor usage and set alerts if the count approaches the system’s limit.
  • As a temporary workaround, consider reducing the frequency of adverse event reports or temporarily disabling blocklistd until the update is applied.

Generated by OpenCVE AI on April 16, 2026 at 04:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Mon, 09 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired. Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports. An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack. Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective. The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Title blocklistd(8) socket leak
Weaknesses CWE-772
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-03-11T15:02:53.159Z

Reserved: 2026-02-09T17:48:49.244Z

Link: CVE-2026-2261

cve-icon Vulnrichment

Updated: 2026-03-11T15:02:33.155Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T13:15:57.093

Modified: 2026-03-17T15:54:31.733

Link: CVE-2026-2261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:15:24Z

Weaknesses