Description
When processing the header of an incoming message, libnv failed to properly validate the message size.

The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
Published: 2026-04-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap‑based buffer overflow was discovered in the libnv library of FreeBSD. When libnv processes the header of an incoming message, it fails to validate the message size correctly, allowing an attacker to write beyond the bounds of a heap allocation. This out‑of‑bounds write can cause a crash or system panic and, according to the advisory, an unprivileged user may be able to exploit the flaw to elevate their privileges on the affected system.

Affected Systems

FreeBSD operating systems running the vulnerable libnv component are impacted. No specific product versions were listed in the advisory, so the extent of the vulnerability across releases is not defined in the provided data.

Risk and Exploitability

The vulnerability represents a potential privilege‑escalation path and is a classic heap‑overflow issue (CWE‑122). It has an EPSS score of <1%, indicating a low exploitation probability, and it is not listed in the CISA KEV catalog. The threat is likely localized to systems that accept incoming messages processed by libnv and requires an unprivileged user who can craft a malicious message to trigger the overflow. Given the possibility of privilege escalation and the absence of countermeasures, the risk is moderate to high until the vulnerability is patched. The CVSS score is 8.1, indicating a high severity.

Generated by OpenCVE AI on May 2, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that addresses the libnv heap‑overflow bug
  • Limit or eliminate exposure to untrusted external messages that utilize libnv, such as closing or restricting the network service ports that receive these messages
  • Monitor system logs and memory usage for abnormal behavior indicating a possible exploit attempt

Generated by OpenCVE AI on May 2, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:beta3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 30 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
Title Heap overflow in libnv
Weaknesses CWE-122
CWE-130
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-05-01T15:26:28.941Z

Reserved: 2026-04-28T15:08:10.642Z

Link: CVE-2026-35547

cve-icon Vulnrichment

Updated: 2026-04-30T13:12:22.260Z

cve-icon NVD

Status : Modified

Published: 2026-04-30T09:16:03.167

Modified: 2026-05-01T16:16:30.273

Link: CVE-2026-35547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses