Description
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).

An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Published: 2026-04-30
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack overflow in FreeBSD’s libnv library that occurs when a socket descriptor larger than the select(2) file descriptor set limit (FD_SETSIZE 1024) is passed to select(). This defect corrupts the stack during socket I/O handling. When the affected application runs with setuid‑root privileges, the corrupted stack can be leveraged to execute arbitrary code and elevate local privileges, effectively allowing a local attacker to gain root access.

Affected Systems

All FreeBSD installations that utilize the libnv library are potentially affected; the advisory does not specify narrower version ranges, so any deployment of libnv within the base system should be considered at risk.

Risk and Exploitability

The likely attack vector is a local attacker who can open many file descriptors—such as by launching a program that exhausts the descriptor table before invoking a libnv function—thereby forcing the overflow. This scenario is inferred from the description, as the attack does not require external network access. The CVSS score of 7.8 indicates high severity, while the EPSS score of < 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no publicly documented exploits exist at this time.

Generated by OpenCVE AI on May 2, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that patches libnv to fix the select(2) overflow issue
  • Run libnv-based services with the minimal necessary privileges; avoid using setuid‑root when not required
  • Before invoking libnv, limit or close open socket descriptors so they do not exceed FD_SETSIZE

Generated by OpenCVE AI on May 2, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:beta3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 30 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Description When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Title Stack overflow via select() file descriptor set overflow
Weaknesses CWE-121
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-05-01T03:55:51.194Z

Reserved: 2026-04-28T15:08:10.626Z

Link: CVE-2026-39457

cve-icon Vulnrichment

Updated: 2026-04-30T13:11:19.517Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-30T09:16:03.270

Modified: 2026-05-01T12:41:46.590

Link: CVE-2026-39457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:30:16Z

Weaknesses