CVE-2026-29781

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*

History

11 Mar 2026, 21:59

Type	Values Removed	Values Added
Summary		(es) Sliver es un framework de comando y control que utiliza una pila de red Wireguard personalizada. En versiones desde la 1.7.3 y anteriores, existe una vulnerabilidad en la lógica de desmarshalling de Protobuf del servidor C2 de Sliver debido a una falta sistémica de validación de punteros nulos. Al extraer credenciales de implante válidas y omitir campos anidados en un mensaje firmado, un actor autenticado puede desencadenar un pánico en tiempo de ejecución no manejado. Debido a que las capas de transporte mTLS, WireGuard y DNS carecen del middleware de recuperación de pánico presente en el transporte HTTP, esto resulta en una terminación global del proceso. Si bien requiere acceso post-autenticación (un implante capturado), este fallo actúa efectivamente como un 'kill-switch' de infraestructura, interrumpiendo instantáneamente todas las sesiones activas en toda la flota y requiriendo un reinicio manual del servidor para restaurar las operaciones. En el momento de la publicación, no hay parches disponibles públicamente.
First Time		Bishopfox sliver Bishopfox
CPE		cpe:2.3:a:bishopfox:sliver::::::::
References	~~() https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v -~~	() https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v - Exploit, Mitigation, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

07 Mar 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 16:15

Updated : 2026-03-11 21:59

NVD link : CVE-2026-29781

Mitre link : CVE-2026-29781

CVE.ORG link : CVE-2026-29781

JSON object : View

Products Affected

bishopfox

sliver

CWE

CWE-476

NULL Pointer Dereference

6.5 /10