CVE-2026-2261
Awaiting Analysis Awaiting Analysis - Queue
Socket Descriptor Leak in blocklistd Causes Denial of Service

Publication date: 2026-03-09

Last updated on: 2026-03-17

Assigner: FreeBSD

Description
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired. Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports. An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack. Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective. The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2261
EUVD
EUVD-2026-10332
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2261 is a vulnerability in the blocklistd service of FreeBSD 15.0 caused by a programming error that leaks a socket descriptor for each adverse event report processed.

As these leaked sockets accumulate, blocklistd eventually fails to run its helper script because a forked child process crashes due to dereferencing a null pointer before executing the helper.

At this point, blocklistd continues to log adverse events but cannot block new IP addresses or unblock expired ones. If the leakage continues further, blocklistd becomes unable to receive new adverse event reports altogether.

This resource leak can cause blocklistd to become ineffective and may also slow down the system until blocklistd is restarted.

Impact Analysis

[{'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability by triggering many adverse events from disposable IP addresses, causing blocklistd to exhaust its socket descriptors and disable its blocking functionality.'}, {'type': 'paragraph', 'content': "This effectively disables blocklistd's ability to block malicious IPs, potentially allowing further attacks to succeed."}, {'type': 'paragraph', 'content': 'Even without an attack, normal operations will gradually leak sockets, causing blocklistd to become ineffective over time and potentially slowing down the system.'}, {'type': 'paragraph', 'content': 'A temporary mitigation is to regularly restart blocklistd, but this does not fully protect against attackers using many sacrificial IPs.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the number of open socket descriptors used by the blocklistd service. An unusually high or steadily increasing count of open sockets associated with blocklistd indicates the presence of the socket descriptor leak.'}, {'type': 'paragraph', 'content': 'You can use system commands to check open file descriptors and sockets for the blocklistd process. For example:'}, {'type': 'list_item', 'content': "Use 'sockstat' to list open sockets by blocklistd: sockstat -c -p $(pgrep blocklistd)"}, {'type': 'list_item', 'content': "Use 'lsof' to list open files and sockets for blocklistd: lsof -p $(pgrep blocklistd)"}, {'type': 'list_item', 'content': 'Check the number of open file descriptors for blocklistd: ls /proc/$(pgrep blocklistd)/fd | wc -l (if /proc is available)'}, {'type': 'paragraph', 'content': 'A growing number of open sockets or file descriptors over time without release suggests the vulnerability is active.'}] [1]

Mitigation Strategies

The immediate mitigation step is to regularly restart the blocklistd service to release leaked socket descriptors and restore its blocking functionality.

However, this is only a temporary workaround and may not be sufficient against attackers who deliberately trigger many adverse events.

The recommended permanent solution is to upgrade FreeBSD to a version that includes the fix for this vulnerability. This fix is available in the stable/15 and releng/15.0 branches after 2026-02-10.

Updates can be applied using pkg(8) for systems installed from base packages, freebsd-update(8) for binary distribution sets, or by applying a verified source patch followed by recompilation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2261. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart