CVE-2026-39461HIGH 8.8EPSS p4.6%

CVE-2026-39461CVE-2026-39461

Description

libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS0.15% probability of exploitation · percentile 4.6% · 2026-06-19T12:03:05Z
Published2026-05-21
Last modified2026-05-21

Underlying weaknesses· 1

CWE-121

References

  1. https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc

1

TypeTargetConfidenceTier
WeaknessStack-based Buffer Overflowcwe-1210%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35547
CVE
Linux Kernel Privilege Escalation Vulnerability
CVE
CVE-2026-25258
CVE
CVE-2026-41981
CVE
Linux Kernel Heap Out-of-Bounds Write Vulnerability
CVE
CVE-2025-34468
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.