The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.
In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.
The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
References
| Link | Resource |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
17 Mar 2026, 15:55
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
|
| References | () https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc - Vendor Advisory | |
| CPE | cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:* cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:* |
|
| First Time |
Freebsd freebsd
Freebsd |
09 Mar 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
09 Mar 2026, 13:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-09 13:15
Updated : 2026-03-17 15:55
NVD link : CVE-2026-3038
Mitre link : CVE-2026-3038
CVE.ORG link : CVE-2026-3038
JSON object : View
Products Affected
freebsd
- freebsd
CWE
CWE-787
Out-of-bounds Write