CVE-2026-29781
Received Received - Intake
Nil-Pointer Dereference in Sliver C2 Causes Global Server Crash

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29781
EUVD
EUVD-2026-10154
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bishopfox sliver to 1.7.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-29781 is a critical vulnerability in the Sliver command and control (C2) server, specifically in its Protobuf unmarshalling logic. The issue arises because the server does not properly validate nested Protobuf sub-messages after unmarshalling, leading to nil-pointer dereferences when these optional nested fields are omitted by an authenticated attacker.'}, {'type': 'paragraph', 'content': "Technically, Sliver uses proto3 where all fields are optional and nested sub-messages are pointers. If a nested sub-message like 'Register' inside 'BeaconRegister' is missing, the pointer is nil. The server accesses fields of this nil pointer without checking, causing an immediate runtime panic."}, {'type': 'paragraph', 'content': 'This panic causes the Sliver server process to crash on certain transport layers (mTLS, WireGuard, DNS) that lack panic recovery middleware, resulting in a full denial-of-service (DoS) that severs all active sessions and requires a manual restart. The vulnerability requires possession of valid implant credentials to exploit.'}] [1]


How can this vulnerability impact me? :

This vulnerability can cause a complete denial-of-service (DoS) of the Sliver C2 server infrastructure. An authenticated attacker with implant credentials can send a specially crafted message that triggers a nil-pointer dereference, causing the server process to crash.

On affected transport layers like mTLS, WireGuard, and DNS, this crash is unhandled and results in the termination of the entire Sliver server process, instantly severing all active sessions across the entire fleet.

Operators will lose all active sessions, shell buffers, and monitoring streams, and implants will lose connectivity, potentially triggering implant-side cleanup or kill logic. Recovery requires a manual server restart, causing operational disruption.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unexpected Sliver C2 server crashes or process terminations, especially when using mTLS, WireGuard, or DNS transport layers. Since the vulnerability causes a runtime panic leading to a full server crash, detection involves observing abrupt server stoppages or loss of all active implant sessions.

Additionally, detection requires verifying if an authenticated actor is sending malformed Protobuf messages that omit nested fields, particularly the `Register` sub-message in `BeaconRegister` messages.

There are no specific commands provided in the resources to detect this vulnerability directly on the network or system.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include implementing strict nil-pointer validation for all nested Protobuf fields immediately after unmarshalling to prevent runtime panics.

  • Check for nil pointers before accessing nested fields, for example, verify if `beaconReg.Register == nil` before using its fields.
  • Replace direct metadata field access with safe accessor functions that handle missing data gracefully to avoid panics.
  • Introduce panic recovery middleware that wraps all handler invocations in `recover()` blocks to catch panics, log errors, and prevent the entire server from crashing.

Since no patches are publicly available at the time of publication, these defensive programming and middleware strategies are critical to mitigate the risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart