CVE-2026-3038: FreeBSD Kernel Stack Buffer Overflow in rtsock_msg_buffer()
A stack buffer overflow vulnerability tracked as CVE-2026-3038 has been disclosed in the FreeBSD kernel's routing socket interface. The flaw resides in the rtsock_msg_buffer() function and can be triggered by an unprivileged local user, causing a kernel panic (denial of service). Under specific conditions involving a secondary kernel bug, it may be elevated to local privilege escalation (LPE).
The vulnerability was published on March 9, 2026, assigned a CVSS v3.1 score of 7.5 (High), and addressed under the official FreeBSD security advisory FreeBSD-SA-26:05.route. Patches are available for all supported FreeBSD branches.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-3038 |
| FreeBSD Advisory | FreeBSD-SA-26:05.route |
| CVSS Score | 7.5 (High) |
| CWE Classification | CWE-121 — Stack-based Buffer Overflow |
| Affected Component | rtsock_msg_buffer() in sys/net/rtsock.c |
| Attack Vector | Local |
| Privileges Required | None (unprivileged user) |
| Primary Impact | Kernel panic (DoS) |
| Secondary Impact | Potential local privilege escalation |
| Patch Available | Yes — FreeBSD-SA-26:05.route (February 24, 2026) |
| Discovered By | Adam Crosser, Praetorian Labs |
Affected FreeBSD Versions
| Branch | Affected Through |
|---|---|
| FreeBSD 15.0-RELEASE | Before patch 4 |
| FreeBSD 14.3-RELEASE | Before patch 9 |
| FreeBSD 14.4-RC1 | Affected |
| FreeBSD 13.5-RELEASE | Before patch 10 |
Technical Details
Root Cause
The rtsock_msg_buffer() function is responsible for serializing routing information into a buffer within the FreeBSD kernel's routing socket (route(4)) subsystem. During serialization, the function copies sockaddr structures into a sockaddr_storage structure allocated on the kernel stack.
The critical flaw is an implicit trust assumption: the function treats the sa_len (length) field of the source sockaddr structure as already validated. In reality, no such validation has occurred at the point of the copy operation. A userspace program can craft a malicious RTM_GET request with an oversized sa_len value, causing the copy to overflow the stack-allocated sockaddr_storage buffer by up to 127 bytes.
Exploitation Path
Denial of Service (Reliable)
The overflow corrupts the stack canary value adjacent to the buffer. When rtsock_msg_buffer() returns, the kernel detects the corrupted canary and immediately triggers a kernel panic, crashing the system. This path is fully reliable and requires no special knowledge — any unprivileged user on a local system can execute it.
Local Privilege Escalation (Conditional)
The FreeBSD advisory notes that if an attacker can first exploit a secondary kernel bug that leaks or allows prediction of the stack canary value, the corrupted canary detection can be bypassed. In that scenario, the overflow can overwrite critical stack data — including return addresses — enabling arbitrary code execution in kernel context and full local privilege escalation to root.
No such secondary bug has been publicly paired with CVE-2026-3038 at time of writing. However, the theoretical LPE path elevates the urgency of patching beyond what a pure DoS rating would suggest.
Vulnerable Code Path
RTM_GET routing socket request (userspace)
→ rtsock_msg_buffer() [sys/net/rtsock.c]
→ sockaddr copy into stack-allocated sockaddr_storage
→ sa_len field NOT validated before copy
→ 127-byte stack buffer overflow possible
→ Stack canary corrupted
→ Kernel panic on function return (DoS)
→ [If canary bypassed] Kernel code execution (LPE)
Impact Assessment
| Impact Area | Description |
|---|---|
| System Availability | Any unprivileged user can crash the kernel via a single RTM_GET request |
| Privilege Escalation | Theoretical root access if chained with a kernel canary leak |
| Multi-Tenant Environments | Shared hosting, VPS hosts, and container environments face elevated risk |
| Embedded / Appliance FreeBSD | Devices running FreeBSD (firewalls, NAS, routers) are affected if user shells exist |
| Exploit Complexity | DoS is trivial; LPE requires chaining — currently no known working chain |
Remediation
Applying the Official Patch
Patches were released on February 24, 2026 for all supported FreeBSD branches. Applying the patch is the only complete fix.
Via freebsd-update (binary updates):
freebsd-update fetch
freebsd-update install
rebootVia source (for custom kernels):
Apply the patch from the official advisory and rebuild the kernel:
# Apply patch
patch -p0 < /path/to/FreeBSD-SA-26:05.route.patch
# Rebuild and install kernel
cd /usr/src
make -j$(sysctl -n hw.ncpu) buildkernel
make installkernel
rebootMitigations (If Patching Is Delayed)
Since the attack requires local access, environments where untrusted users have shell access are most at risk:
- Restrict local user shell access — If non-administrative users should not have shell access, revoke it
- Monitor for RTM_GET anomalies — Unusual volumes of routing socket requests from unprivileged users may indicate probing
- Prioritize patch deployment on shared systems — VPS hosts, development servers, and any multi-user FreeBSD installations should be patched first
Context: FreeBSD Routing Socket Subsystem
The route(4) routing socket interface is a standard UNIX API that allows userspace programs to query and modify the kernel's routing table. It is used by network management utilities such as route(8), netstat(1), and various network daemons. Because the interface is available to unprivileged users for query operations (such as RTM_GET), the attack surface is accessible without any special privileges or accounts beyond basic local access.
Key Takeaways
- CVE-2026-3038 is a CVSS 7.5 stack buffer overflow in FreeBSD's
rtsock_msg_buffer()function, exploitable by any unprivileged local user - The primary impact is a kernel panic (reliable DoS), crashing the affected system
- A theoretical LPE path exists if chained with a secondary stack canary leak — no known working exploit chain at this time
- All supported FreeBSD branches (13.x, 14.x, 15.x) are affected; patches were released February 24, 2026
- Systems with untrusted local users — shared hosts, VPS providers, development servers — should treat this as urgent