Description
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.

In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.

The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.

Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
Published: 2026-03-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

A buffer overflow in the FreeBSD routing socket handler rtsock_msg_buffer copies unchecked sockaddr data onto the stack, overwriting a stack canary and causing a kernel panic when the function returns. The crash can be induced by any unprivileged user that can send a crafted routing socket request, resulting in a local denial of service. If a separate kernel flaw later exposes the canary value, the overflow could also be weaponized for local privilege escalation.

Affected Systems

FreeBSD releases affected include 13.5 (patches 1 through 9), 14.3 (patches 1 through 8), 14.4 rc1, and 15.0 (patches 1 through 3). All these versions are impacted until the advisory’s fix is applied.

Risk and Exploitability

The CVSS score of 7.5 marks the flaw as high severity, yet the EPSS score of <1% indicates an extremely low likelihood of exploitation in the wild. The vulnerability is local; an attacker must be able to run arbitrary code on the target system to send the malicious routing socket message. The flaw is not listed in CISA’s KEV catalog, reinforcing the perception that it is not actively exploited at present.

Generated by OpenCVE AI on April 16, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FreeBSD system to a patch release that includes the fix for CVE-2026-3038 (e.g., 13.5-p9, 14.3-p8, or 15.0-p3 or newer).
  • If an immediate update is not feasible, restrict unprivileged access to routing sockets by disabling the routing socket interface in system configuration, for example by setting net.inet.routed to 0 or applying appropriate ACLs if supported.
  • Enable and configure a watchdog or kernel panic monitoring service so that any unintended kernel panics caused by misbehaving processes are detected and the system can recover automatically.

Generated by OpenCVE AI on April 16, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
Title Local DoS and possible privilege escalation via routing sockets
Weaknesses CWE-787
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-03-09T16:03:25.820Z

Reserved: 2026-02-23T16:26:02.807Z

Link: CVE-2026-3038

cve-icon Vulnrichment

Updated: 2026-03-09T16:03:18.320Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-09T13:15:57.227

Modified: 2026-03-17T15:55:14.347

Link: CVE-2026-3038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T10:15:26Z

Weaknesses