On February 24, 2026, the FreeBSD security team published advisory FreeBSD-SA-26:05.route, fixing CVE-2026-3038. It’s a stack buffer overflow in the kernel’s routing socket interface, and it lets an unprivileged local user crash the whole system with a kernel panic.
What the vulnerability is
The routing socket interface (route(4)) is what user-space processes use to query and modify the kernel routing table: adding or removing routes, watching for network interface changes, and so on. Tools like route and routing daemons rely on it.
The flaw sits in the rtsock_msg_buffer() function, which builds routing socket messages. It copies sockaddr structures into a sockaddr_storage structure that lives on the stack, but it wrongly assumes the length field of the source sockaddr was already validated earlier. When that length field goes unvalidated, a malicious program can trigger an overflow of up to 127 bytes that writes past the buffer reserved on the stack.
Who is affected
The vulnerability affects all supported FreeBSD versions, specifically:
- FreeBSD 13.5
- FreeBSD 14.3 and 14.4
- FreeBSD 15.0
Because the issue is in the kernel and not in a network-facing service, the attack vector is local: an attacker needs to be able to run code on the machine, even as an unprivileged user. Opening a routing socket and triggering the bug takes no special permissions.
Severity and impact
The overflow overwrites the stack canary, the sentinel value the compiler places to detect stack corruption. When the function returns and that corruption is caught, the kernel responds with an immediate panic. The outcome is a local denial of service (DoS): any user on the system can take the machine down whenever they want.
The advisory adds an important caveat. Canary corruption stops the attack in the normal case, but other kernel bugs may exist that could bypass this protection. Combined with a leak of the canary value or another vulnerability, the overflow could open the door to privilege escalation. That’s why it’s rated high severity rather than a simple DoS.
Mitigation and patch
There is no workaround: the only fix is to apply the patch. FreeBSD offers three options:
- Base system with packages: run
pkg upgrade -r FreeBSD-baseand reboot. - Binaries with freebsd-update: run
freebsd-update fetch, thenfreebsd-update install, and reboot. - From source: download the official patch from
security.FreeBSD.org, apply it, and recompile the kernel, since the flaw is in kernel code.
Apply the update as soon as you can on any multi-user FreeBSD system or one running third-party code, where the local DoS risk matters most.
If you want to dig into the fundamentals of isolation and hardening on Unix-like systems, check out our FreeBSD profile too.
Source
- Official advisory: FreeBSD-SA-26:05.route
- CVE details: CVE-2026-3038 on NVD