FreeBSD libnv Stack Overflow via select() FD Set Overflow (CVE-2026-39457)

FreeBSD-SA-26:16.libnv Security Advisory Summary Vulnerability Overview Vulnerability Name: Stack overflow via select() file descriptor set overflow CVE ID: CVE-2026-39457 Module: core Release Date: 2026-04-29 Description: When libnv processes socket data, it uses the function. However, it does not validate whether the provided socket descriptor set fits within the file descriptor set size limit (1024) for . Impact Scope Affected Versions: All supported FreeBSD versions (including stable/15, stable/14, stable/13, releng/15.0, releng/14.4, releng/13.5, etc.). Impact: An attacker can trigger libnv corruption by forcing a libnv application to allocate a large number of file descriptors (e.g., by opening many descriptors and executing a program that does not carefully close them at startup). If the target application is setuid-root, this may be used to escalate local privileges. Remediation Recommendation: Upgrade to a FreeBSD stable or release/security branch (releng) dated after the fix date, and reboot. Specific Actions: 1. Update via Binary Patches: - For FreeBSD 13 on amd64 or arm64 platforms, updates can be performed using the tool. - Example commands: 2. Update via Source Code Patches: - Download and verify the PGP signature of the patch from the specified location. - Example commands: - Execute the following commands as root: - Recompile the operating system and kernel, and reboot the system. Fix Details Git Commit Hashes: - : 76405383d5ce - : 4580908de1c1 - : a5d4863085a - : a8f2c2f309e - : 4cc2205c61a7 - : 32012877f145 View Modified Files: Access URL: - Replace with the hashes listed above and visit the following URL to view details: Determine Commit Count: References CVE Link: Latest Revision:

Goal Reached Thanks to every supporter — we hit 100%!

FreeBSD libnv Stack Overflow via select() FD Set Overflow (CVE-2026-39457)