CVE-2026-35547

When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to ex...

high 8.1 CVSS 3.1
Published: Apr 30, 2026
Modified: May 1, 2026
Vendor: Freebsd
Product: Freebsd
Versions: 13.5,14.3,14.4,15.0

Description

When processing the header of an incoming message, libnv failed to properly validate the message size.

The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.

References

Related CVEs

CVE-2026-39457 high · 7.8
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file de
CVE-2026-42512 high · 8.1
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its
CVE-2026-7164 high · 7.5
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packet
CVE-2026-7270 high · 7.8
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug ma
CVE-2026-42511 high · 8.1
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequ