CVE-2026-39457
File Descriptor Exhaustion in libnv Leads to Stack Corruption
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: FreeBSD
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39457 is a stack overflow vulnerability in FreeBSD's libnv library, which is used for storing and exchanging name-value pairs and facilitating inter-process communication.
The vulnerability occurs because libnv uses the select() system call to wait for data on a socket without checking if the socket descriptor exceeds the maximum allowed size (FD_SETSIZE, which is 1024).
An attacker can exploit this by forcing a libnv application to allocate large file descriptors, for example by opening many descriptors and running a program that does not close them properly, which can lead to stack corruption.
If the vulnerable application is setuid-root, this stack corruption can be leveraged to escalate local privileges.
How can this vulnerability impact me? :
This vulnerability can lead to stack corruption in applications using the libnv library when handling large socket descriptors.
If the affected application runs with elevated privileges (setuid-root), an attacker could exploit this flaw to escalate their local privileges, potentially gaining root access on the system.
Such privilege escalation can compromise system security, allowing unauthorized actions and access to sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
No workaround is available for this vulnerability.
The recommended immediate step is to upgrade to a patched version of FreeBSD dated after April 29, 2026.
- Use the freebsd-update tool to apply the binary patch.
- Alternatively, apply the source code patches and recompile the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in libnv can lead to local privilege escalation if exploited, especially in setuid-root applications. This elevation of privileges could potentially allow unauthorized access to sensitive data or system functions.
Such unauthorized access or privilege escalation may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.