CVE-2026-39461
Analyzed Analyzed - Analysis Complete
Stack Corruption in libcasper via FD_SETSIZE Bypass

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: FreeBSD

Description
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-39461
EUVD
EUVD-2026-31258
Affected Vendors & Products
Showing 29 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39461 is a vulnerability in FreeBSD's libcasper library where it improperly handles file descriptors when using the select(2) system call. Specifically, libcasper does not verify that its socket descriptor is within the allowed limit of 1024 descriptors (FD_SETSIZE).

An attacker can exploit this by causing an application that uses libcasper to allocate large file descriptors, for example by opening many descriptors and running a program that does not close them properly. This can lead to stack corruption.

If the affected application runs with setuid root privileges, this stack corruption can be used to escalate local privileges.

Impact Analysis

This vulnerability can lead to stack corruption in applications using libcasper, which may result in local privilege escalation if the application runs with setuid root privileges.

An attacker with local access could exploit this flaw to gain higher privileges on the system, potentially compromising system security and control.

Detection Guidance

There is no specific detection method or commands provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should apply the patches released by the FreeBSD Project for the stable and release branches.

Users are advised to upgrade their systems to a corrected version using pkg or freebsd-update utilities.

No workaround is available, so applying the official patches or updates is the recommended immediate step.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart