CVE-2026-35547

EUVD-2026-26355
When processing the header of an incoming message, libnv failed to properly validate the message size.

The lack of validation allows a malicious program to write outside the bounds of a heap allocation.  This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
freebsdfreebsd
13.5
freebsdfreebsd
13.5:beta3
freebsdfreebsd
13.5:p1
freebsdfreebsd
13.5:p10
freebsdfreebsd
13.5:p11
freebsdfreebsd
13.5:p12
freebsdfreebsd
13.5:p2
freebsdfreebsd
13.5:p3
freebsdfreebsd
13.5:p4
freebsdfreebsd
13.5:p5
freebsdfreebsd
13.5:p6
freebsdfreebsd
13.5:p7
freebsdfreebsd
13.5:p8
freebsdfreebsd
13.5:p9
freebsdfreebsd
14.3
freebsdfreebsd
14.3:p1
freebsdfreebsd
14.3:p10
freebsdfreebsd
14.3:p11
freebsdfreebsd
14.3:p2
freebsdfreebsd
14.3:p3
freebsdfreebsd
14.3:p4
freebsdfreebsd
14.3:p5
freebsdfreebsd
14.3:p6
freebsdfreebsd
14.3:p7
freebsdfreebsd
14.3:p8
freebsdfreebsd
14.3:p9
freebsdfreebsd
14.4
freebsdfreebsd
14.4:p1
freebsdfreebsd
14.4:p2
freebsdfreebsd
14.4:rc1
freebsdfreebsd
15.0
freebsdfreebsd
15.0:p1
freebsdfreebsd
15.0:p2
freebsdfreebsd
15.0:p3
freebsdfreebsd
15.0:p4
freebsdfreebsd
15.0:p5
freebsdfreebsd
15.0:p6
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc