LPE via FD overflow in libcasper (FreeBSD)
CVE-2026-39461 Published on May 21, 2026
select(2) file descriptor set overflow causes stack overflow
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
Vulnerability Analysis
CVE-2026-39461 can be exploited with local system access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a small impact on availability.
Weakness Type
What is a Stack Overflow Vulnerability?
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CVE-2026-39461 has been classified to as a Stack Overflow vulnerability or weakness.
Products Associated with CVE-2026-39461
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p9 is affected.
- Version 14.4-RELEASE and below p5 is affected.
- Version 14.3-RELEASE and below p14 is affected.