FreeBSD libnv Header Size Validation Bypass Enables Privilege Escalation
CVE-2026-35547 Published on April 30, 2026
Heap overflow in libnv
When processing the header of an incoming message, libnv failed to properly validate the message size.
The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
Vulnerability Analysis
CVE-2026-35547 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Types
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
What is a length manipulation Vulnerability?
The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. If an attacker can manipulate the length parameter associated with an input such that it is inconsistent with the actual length of the input, this can be leveraged to cause the target application to behave in unexpected, and possibly, malicious ways. One of the possible motives for doing so is to pass in arbitrarily large input to the application. Another possible motivation is the modification of application state by including invalid data for subsequent properties of the application. Such weaknesses commonly lead to attacks such as buffer overflows and execution of arbitrary code.
CVE-2026-35547 has been classified to as a length manipulation vulnerability or weakness.
Products Associated with CVE-2026-35547
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p7 is affected.
- Version 14.4-RELEASE and below p3 is affected.
- Version 14.3-RELEASE and below p12 is affected.
- Version 13.5-RELEASE and below p13 is affected.