PatchSiren cyber security CVE debrief
CVE-2026-39461 FreeBSD CVE debrief
CVE-2026-39461 describes a stack-corruption issue in FreeBSD’s libcasper(3) helper-process communication path. The flaw stems from using select(2) without verifying that the socket descriptor is below FD_SETSIZE (1024). An attacker who can drive an application to allocate large file descriptors may be able to trigger corruption; if the affected application runs with setuid root privileges, the issue could lead to local privilege escalation.
- Vendor
- FreeBSD
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
FreeBSD administrators, maintainers of applications that use libcasper(3), and security teams responsible for setuid-root programs or software that may inherit many open file descriptors.
Technical summary
According to the source description, libcasper(3) waits for data on UNIX domain sockets using select(2) but does not confirm that the socket descriptor fits within the FD_SETSIZE descriptor-set boundary. If an application ends up with a high-numbered descriptor and then calls into libcasper, the resulting out-of-bounds descriptor handling can corrupt stack memory. The supplied NVD metadata maps the weakness to CWE-121.
Defensive priority
High for systems that use libcasper in privilege-sensitive or setuid contexts; otherwise medium, because exploitation requires an attacker to influence descriptor allocation and application startup behavior.
Recommended defensive actions
- Apply the FreeBSD security advisory and any vendor-provided updates referenced for FreeBSD-SA-26:22.libcasper.
- Inventory applications that use libcasper(3), especially those with setuid root privileges or that may inherit many open file descriptors.
- Review startup hygiene so programs close unnecessary file descriptors early and do not pass unexpectedly large descriptor numbers into libcasper-related code paths.
- Validate that deployments are receiving the fixed FreeBSD package or base-system update before re-enabling privileged services.
- Monitor for abnormal file-descriptor growth or unusual crashes in applications that depend on libcasper.
Evidence notes
This debrief is based only on the supplied NVD record and the linked FreeBSD advisory reference. The NVD entry states that libcasper(3) uses select(2) without checking FD_SETSIZE (1024), which can cause stack corruption, and that setuid-root use may enable local privilege escalation. The NVD metadata also lists CWE-121. Vendor attribution in the supplied data is weak/uncertain, but the reference source points to FreeBSD Secteam.
Official resources
-
CVE-2026-39461 CVE record
CVE.org
-
CVE-2026-39461 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE published and last modified on 2026-05-21T10:16:25.320Z, based on the supplied CVE timeline and source timestamps.