PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15449 illumos CVE debrief

CVE-2026-15449 is a time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld). The vulnerability affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can exploit this vulnerability to panic the system. The resulting kernel heap corruption may be usable for further compromise. System administrators and users of illumos-based systems should be aware of this vulnerability and take necessary precautions.

Vendor
illumos
Product
illumos
CVSS
MEDIUM 5.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

System administrators and users of illumos-based systems should be aware of this vulnerability. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can exploit this vulnerability to panic the system and potentially lead to further compromise.

Technical summary

The drv_ioc_prop_common() function in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. This can lead to a system panic and potentially allow for further compromise.

Defensive priority

Medium priority should be given to patching this vulnerability, as it can be exploited by an unprivileged local user to panic the system and potentially lead to further compromise.

Recommended defensive actions

  • Apply the vendor patch as soon as available
  • Inventory systems for exposure
  • Monitor system logs for suspicious activity
  • Implement compensating controls to limit user access
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-16T20:16:44.373Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The vulnerability affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. An unprivileged local user can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:44.373Z and has not been modified since then.