CVE-2026-3038
Awaiting Analysis Awaiting Analysis - Queue
Stack Buffer Overflow in FreeBSD rtsock_msg_buffer() Causes Kernel Panic

Publication date: 2026-03-09

Last updated on: 2026-03-17

Assigner: FreeBSD

Description
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-09
Last Modified
2026-03-17
Generated
2026-05-07
AI Q&A
2026-03-09
EPSS Evaluated
2026-05-05
NVD
CVE-2026-3038
EUVD
EUVD-2026-10334
Affected Vendors & Products
Showing 24 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-3038 is a vulnerability in FreeBSD's routing socket interface, specifically in the function rtsock_msg_buffer(). This function serializes routing information by copying sockaddr structures into a buffer on the stack. It incorrectly assumes that the length of the source sockaddr has already been validated, which is not always true."}, {'type': 'paragraph', 'content': 'A malicious local user can craft a routing socket request that triggers a 127-byte stack buffer overflow, overwriting the stack canary used to detect such overflows. This corruption causes an immediate kernel panic when the function returns, resulting in a denial of service (DoS).'}, {'type': 'paragraph', 'content': 'While the stack canary prevents silent exploitation, other kernel bugs might allow an attacker to leak the canary value, potentially enabling local privilege escalation.'}] [1]


How can this vulnerability impact me? :

This vulnerability allows an unprivileged local user to cause a denial of service (DoS) by crashing the kernel through a stack buffer overflow in the routing socket interface.

If combined with other kernel bugs that leak the stack canary value, it could potentially lead to local privilege escalation, allowing an attacker to gain higher system privileges.

There is no workaround other than applying the official patch, so systems that remain unpatched are vulnerable to these impacts.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is triggered by a malicious userspace program crafting a routing socket request that causes a stack buffer overflow in the rtsock_msg_buffer() function, leading to a kernel panic.

Detection involves monitoring for unexpected kernel panics related to routing socket operations, as the overflow corrupts the stack canary and causes an immediate panic.

There are no specific commands provided to detect this vulnerability directly on the network or system.


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'No workaround is available other than applying the official patch released by the FreeBSD security team.'}, {'type': 'paragraph', 'content': 'Users should upgrade their FreeBSD systems using one of the following methods depending on their installation:'}, {'type': 'list_item', 'content': "Use 'pkg upgrade' for base system packages."}, {'type': 'list_item', 'content': "Use 'freebsd-update' for binary distribution sets."}, {'type': 'list_item', 'content': 'Apply source code patches followed by recompiling the kernel.'}, {'type': 'paragraph', 'content': 'Verified patch files and PGP signatures are provided by the FreeBSD security team to ensure authenticity.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart