FreeBSD libnv Stack Corruption Vulnerability via File Descriptor Set Overflow

A stack corruption vulnerability has been identified in the FreeBSD libnv library, which is used for exchanging name-value pairs and can facilitate Inter-Process Communication (IPC). The issue arises because libnv does not check if a socket descriptor exceeds the file descriptor set size limit of 1024 when using select() to wait for data. This oversight can be exploited by an attacker who forces a libnv application to create large file descriptors, potentially leading to stack corruption. If the affected application has setuid-root privileges, this vulnerability could be used to elevate local privileges.

Impact

Exploitation of this vulnerability can cause stack corruption, with the potential to elevate local privileges, especially if the affected application is setuid-root.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD Security Advisory.