CVE-2026-15449
Received Received - Intake

Heap Corruption in illumos dld Driver via TOCTOU

Vulnerability report for CVE-2026-15449, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: 0ca53633-f0b5-4853-ba72-e0a2e62000d0

Description

A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
illumos illumos *
illumos dld *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld). It affects handling of DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. The function drv_ioc_prop_common() copies the ioctl header twice from user space. Between the two copies, an attacker can modify the size field, causing the second copy to exceed the allocated kernel buffer. This leads to heap corruption and potential system panic.

Detection Guidance

This vulnerability is specific to illumos systems with the dld driver. Detection requires checking system logs for kernel panics or heap corruption errors. No direct commands are provided in the context, but monitoring for crashes or unusual behavior in the dld driver may indicate exploitation.

Impact Analysis

An unprivileged local user, even within a non-global zone, can trigger this flaw to crash the system. The kernel heap corruption may allow further exploitation for privilege escalation or code execution in the kernel context. Systems running illumos with vulnerable dld versions are at risk.

Compliance Impact

This vulnerability primarily impacts system integrity and availability by allowing local users to trigger kernel heap corruption, potentially leading to system crashes or further compromise. While not directly tied to data privacy, such kernel-level flaws could undermine security controls required for compliance with standards like GDPR (data protection) or HIPAA (health data security) by enabling unauthorized system access or disruption of critical services.

Mitigation Strategies

Apply the patch from the illumos-gate repository commit 6959feb5b430411a4809b06c53dcdb42fb525eac. This replaces the double copyin with a single operation and introduces proper buffer size calculation. Update the dld driver to the fixed version to prevent heap corruption and potential privilege escalation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart