CVE-2026-35547: FreeBSD libnv Heap Buffer Overflow
A critical heap buffer overflow vulnerability tracked as CVE-2026-35547 has been disclosed affecting FreeBSD's libnv library. The flaw exists in the message header processing path, where the library fails to properly validate the incoming message size before performing a heap write. An unprivileged program can exploit this to write data outside the bounds of a heap allocation, potentially crashing the system or enabling escalation to higher privilege levels.
The vulnerability was published on April 30, 2026, with a CVSS v3.1 score of 9.1 (Critical).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-35547 |
| CVSS Score | 9.1 (Critical) |
| CWE Classification | CWE-122 — Heap-based Buffer Overflow |
| Affected Component | FreeBSD libnv — message header parsing |
| Attack Vector | Local |
| Privileges Required | None (unprivileged user) |
| Primary Impact | Crash / System Panic (DoS) |
| Secondary Impact | Potential privilege escalation |
| Patch Available | Check FreeBSD security advisories |
Technical Details
Root Cause
The vulnerability resides in libnv, FreeBSD's name/value pair library used for inter-process communication and kernel–userspace data exchange. When processing the header of an incoming message, libnv reads a message size field from the header but fails to validate this value before using it to control subsequent heap operations.
The lack of size validation allows a malicious program to supply a crafted message with an oversized or malformed size field, causing libnv to perform a write operation that extends beyond the end of the allocated heap buffer by an attacker-controlled number of bytes.
Exploitation Scenario
Denial of Service (Reliable): The out-of-bounds write corrupts adjacent heap metadata or other heap allocations. On most FreeBSD configurations this results in a detectable heap consistency failure, triggering a system panic. Any unprivileged local process can trigger this condition by sending a crafted message to a libnv consumer.
Privilege Escalation (Conditional): Under favourable heap layout conditions — influenced by timing, allocation patterns, and the specific application consuming libnv — an attacker may be able to corrupt heap structures in a way that leads to arbitrary code execution within the context of a privileged process or the kernel. The CVSS score of 9.1 reflects this potential for impact beyond simple DoS.
Vulnerable Code Path
Unprivileged process sends crafted message
→ libnv header parsing
→ Message size field read from untrusted input
→ No bounds validation performed
→ Heap write using attacker-controlled size
→ Out-of-bounds write past heap allocation
→ Heap corruption → System panic (DoS)
→ [Heap shaping] Potential arbitrary code execution
Impact Assessment
| Impact Area | Description |
|---|---|
| System Availability | Any unprivileged local process can trigger a kernel panic |
| Privilege Escalation | Heap-based exploitation may allow escalation to root or privileged process context |
| Multi-Tenant Systems | Shared servers and VPS environments with untrusted shell users are at elevated risk |
| FreeBSD Appliances | Embedded FreeBSD devices (firewalls, NAS, routers) using libnv are affected |
| Exploit Complexity | DoS is straightforward; full LPE requires heap grooming and layout control |
Remediation
Official Patch
Monitor the FreeBSD Security Advisories page and apply patches as released for your FreeBSD branch.
Via freebsd-update (binary updates):
freebsd-update fetch
freebsd-update install
rebootVia ports/source:
# Apply official advisory patch
patch -p0 < /path/to/advisory.patch
# Rebuild affected components and rebootInterim Mitigations
Until a patch can be applied:
- Restrict local shell access — Limit which users have shell access on systems running FreeBSD, especially shared or multi-tenant environments
- Audit libnv consumers — Identify privileged services that process libnv messages and assess their exposure surface
- Monitor for anomalous IPC activity — Watch for unusual inter-process message patterns from unprivileged accounts
- Consider jails — Use FreeBSD jails to isolate untrusted workloads and limit their ability to interact with system-level libnv consumers
Context: FreeBSD libnv
FreeBSD's libnv (name/value pair library) is a kernel and userspace facility used throughout the OS for safe, structured data exchange between processes and between userspace and the kernel. It is used by various system daemons and kernel subsystems. Its attack surface is reachable by unprivileged processes wherever these daemons or subsystems accept libnv-formatted messages, making validation of message size fields a foundational security requirement.
Key Takeaways
- CVE-2026-35547 is a CVSS 9.1 critical heap buffer overflow in FreeBSD's libnv library, triggered by missing message size validation
- Any unprivileged local process can cause an out-of-bounds heap write — reliably crashing the system and potentially escalating privileges
- All FreeBSD systems running affected branches should apply patches immediately from the official FreeBSD Security Advisory
- Systems with untrusted local users — shared hosts, VPS providers, and container environments — should treat this as a high-priority emergency
- Interim mitigations include restricting shell access and using FreeBSD jails to isolate untrusted workloads