| DF-0141 |
High |
Missing privilege check in sys_vquotactl: any user can set/read all quotas
sys/kern/vfs_quota.c:328 |
β |
| DF-0142 |
High |
Sleeping allocation (M_WAITOK kmalloc) while holding ac_spin -> panic/deadlock
sys/kern/vfs_quota.c:158 |
β |
| DF-0195 |
High |
Unlocked devstat list: concurrent device detach vs sysctl walk yields UAF (world-readable sysctl)
sys/kern/subr_devstat.c:268 |
β |
| DF-0350 |
High |
Unbounded mesh route-table growth + attacker-controlled lifetime: remote memory exhaustion DoS
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1057 |
β |
| DF-0351 |
High |
uint32 metric accumulation overflow enables route poisoning / route hijacking
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1089 |
β |
| DF-0362 |
High |
pfr_fix_anchor unbounded slash-count loop causes size_t wraparound in bcopy/memset: kernel panic via DIOCRGETTABLES
sys/net/pf/pf_table.c:1740 |
β |
| DF-0401 |
High |
Heap buffer overflow via unchecked slot->len in VALE bridge forwarding: pkt_copy up to 65536 bytes into 2048-byte buffer
sys/net/netmap/netmap_vale.c:988 |
β |
| DF-0410 |
High |
Heap buffer overflow in ng_encode_string: buffer allocated by strlen(raw) but loop iterates attacker-controlled slen
sys/netgraph7/netgraph/ng_parse.c:919 |
β |
| DF-0414 |
High |
Unchecked ph->length in PPPoE discovery packets: remote heap OOB read via get_tag/scan_tags walk bound
sys/netgraph7/pppoe/ng_pppoe.c:1314 |
β |
| DF-0417 |
High |
Use-after-free race on nd_defrouter: defrtrlist_update returns unreferenced pointer consumed unlocked across RA prefix loop
sys/netinet6/nd6_rtr.c:285 |
β |
| DF-0428 |
High |
pfsync_input has no source/peer authentication: any on-link host can inject/modify/destroy pf state
sys/net/pf/if_pfsync.c:462 |
β |
| DF-0429 |
High |
Unauthenticated PFSYNC_ACT_UREQ forces victim to multicast entire pf state table: info disclosure + amplification DoS
sys/net/pf/if_pfsync.c:900 |
β |
| DF-0430 |
High |
Unauthenticated PFSYNC_ACT_CLR/DEL/DEL_C let attacker mass-destroy arbitrary pf state across all CPUs
sys/net/pf/if_pfsync.c:542 |
β |
| DF-0449 |
High |
Heap buffer overflow in ng_string_parse: missing *buflen bounds check before bcopy of user-supplied string
sys/netgraph/netgraph/ng_parse.c:704 |
β |
| DF-0453 |
High |
Wrong session variable in rfcomm_session_newconn: timeout armed on listener not new session β memory leak + listener corruption DoS
sys/netbt/rfcomm_session.c:423 |
β |
| DF-0457 |
High |
Unchecked ph->length in PPPoE discovery: heap OOB read via tag-walk + heap info leak via echoed Relay-Session-Id (v1 twin of DF-0414)
sys/netgraph/pppoe/ng_pppoe.c:925 |
β |
| DF-0471 |
High |
ip_fw3_ctl_x: size_t underflow in sopt_valsize when <4 causes unbounded bcopy heap corruption/panic
sys/net/ipfw3/ip_fw3.c:1038 |
β |
| DF-0472 |
High |
ip_fw3_ctl_add_rule missing cmd_len validation: heap over-read + info leak + OOB function pointer call
sys/net/ipfw3/ip_fw3.c:950 |
β |
| DF-0473 |
High |
ip_fw3_chk: unbounded filter_funcs[module][opcode] indexing -> OOB function pointer call on remote traffic
sys/net/ipfw3/ip_fw3.c:506 |
β |
| DF-0489 |
High |
Neighbor Advertisement handler leaks route refcount on every received NA: remote kernel memory exhaustion DoS
sys/netinet6/nd6_nbr.c:734 |
β |
| DF-0490 |
High |
Type confusion in in_lifaddr_ioctl: AF_INET6 check matches IPv6 addresses cast to in_ifaddr β unpriv heap OOB read/info leak via SIOCGLIFADDR
sys/netinet/in.c:908 |
β |
| DF-0492 |
High |
Lockless race on L2TP seq/window state: concurrent timer + remote packet processing -> UAF on xwin[] mbufs and node private data
sys/netgraph/l2tp/ng_l2tp.c:1126 |
β |
| DF-0494 |
High |
Remote unauthenticated kernel heap+stack memory disclosure via ARP reply using attacker-controlled ar_hln/ar_pln
sys/netinet/if_ether.c:1182 |
β |
| DF-0508 |
High |
L2CAP ConfigReq unknown-option echo inflates m_pkthdr.len past mbuf data -> remote kernel heap info leak
sys/netgraph7/bluetooth/l2cap/ng_l2cap_evnt.c:599 |
β |
| DF-0509 |
High |
Stack buffer overflow in ng_ksocket_sockaddr_unparse via negative pathlen (PF_LOCAL sun_len underflow)
sys/netgraph7/ksocket/ng_ksocket.c:323 |
β |
| DF-0524 |
High |
Stored raw pointer to member ifnet with no refcount: UAF when member interface destroyed
sys/netgraph/fec/ng_fec.c:408 |
β |
| DF-0525 |
High |
ng_fec_tick iterates port list with no list lock: UAF race vs addport/delport
sys/netgraph/fec/ng_fec.c:579 |
β |
| DF-0542 |
High |
inquiry_result: unbounded variable-length loop reads past mbuf end -> remote kernel panic
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:380 |
β |
| DF-0543 |
High |
num_compl_pkts: unbounded variable-length loop reads past mbuf end -> remote kernel panic
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:884 |
β |
| DF-0546 |
High |
OOB read of lut[] in netmap_mem_ofstophys: page-padding offset maps garbage physical page into userspace
sys/net/netmap/netmap_mem2.c:165 |
β |
| DF-0558 |
High |
hci_event_num_compl_pkts: unbounded variable-length loop NO per-iteration bounds check -> remote kernel panic
sys/netbt/hci_event.c:376 |
β |
| DF-0559 |
High |
hci_event_inquiry_result/rssi_result: unbounded loops guarded only by KKASSERT -> remote kernel panic on short data
sys/netbt/hci_event.c:447 |
β |
| DF-0569 |
High |
Heap OOB write via byte-swapped alias_port used as array index: every NAT deployment corrupts heap ~1.6% of connections
sys/net/ipfw3_nat/ip_fw3_nat.c:436 |
β |
| DF-0570 |
High |
Remote OOB read: inbound port/icmp_id indexed into alias arrays without bounds check
sys/net/ipfw3_nat/ip_fw3_nat.c:204 |
β |
| DF-0572 |
High |
Per-CPU cfg_nat pointer cached in shared firewall rule: cross-CPU RB-tree races -> corruption
sys/net/ipfw3_nat/ip_fw3_nat.c:158 |
β |
| DF-0580 |
High |
ieee80211_defrag UAF/dangling-pointer: DragonFly m_cat frees fragment but code reads wh + m_pkthdr.len after
sys/netproto/802_11/wlan/ieee80211_input.c:248 |
β |
| DF-0594 |
High |
TKIP RX length underflow on too-short frames -> OOB read and KASSERT panic in wep_decrypt/michael_mic/m_copydata
sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:266 |
β |
| DF-0047 |
Medium |
mtx_wait_link lock-leak race: chain can grant lock during mtx_delete_link window, caller returns error despite holding the lock (permanent deadlock)
sys/kern/kern_mutex.c:1002 |
β |
| DF-0056 |
Medium |
Heap overflow via unchecked p_filesz > p_memsz in PT_LOAD segment loading
sys/kern/link_elf.c:507 |
β |
| DF-0075 |
Medium |
DIOCGSLICEINFO leaks kernel pointers (KASLR bypass) via raw struct diskslices copyout
sys/kern/subr_diskslice.c:556 |
β |
| DF-0083 |
Medium |
OOB write into cpu_topology_nodes[MAXCPU] during boot topology construction on high-CPU-count systems
sys/kern/subr_cpu_topology.c:115 |
β |
| DF-0103 |
Medium |
p_tracenode/p_traceflag mutated without target p_token -> refcount double-drop/UAF and NULL-deref TOCTOU
sys/kern/kern_ktrace.c:506 |
β |
| DF-0134 |
Medium |
Missing structural validation in l64_readdisklabel: crafted partition fields accepted without bounds checks
sys/kern/subr_disklabel64.c:176 |
β |
| DF-0136 |
Medium |
Jail isolation breach: varsym_list(VARSYM_SYS) leaks host varsyms to jailed processes
sys/kern/kern_varsym.c:263 |
β |
| DF-0137 |
Medium |
Unlocked TAILQ traversal in varsymset_init() during fork: data race/UAF
sys/kern/kern_varsym.c:519 |
β |
| DF-0139 |
Medium |
SLEEPQ_HASH misplaced mask causes massive OOB index into sleepq_chains array
sys/kern/subr_sleepqueue.c:82 |
β |
| DF-0143 |
Medium |
nlookupdata leaked on nlookup failure (missing nlookup_done)
sys/kern/vfs_quota.c:354 |
β |
| DF-0144 |
Medium |
copyin return value silently discarded before prop_dictionary_copyin
sys/kern/vfs_quota.c:345 |
β |
| DF-0145 |
Medium |
vq_done stub leaks all quota RB-trees on unmount
sys/kern/vfs_quota.c:142 |
β |
| DF-0149 |
Medium |
Signed-integer truncation in TLV walk size math allows backward/OOB pointer movement
sys/kern/subr_module.c:79 |
β |
| DF-0162 |
Medium |
Global modules TAILQ mutated without mod_token: unpriv readers race with privileged kldload/unload
sys/kern/kern_module.c:141 |
β |
| DF-0176 |
Medium |
cttyioctl forwards ioctls to ttyvp without vnode reference (UAF race)
sys/kern/tty_tty.c:238 |
β |
| DF-0181 |
Medium |
sysctl_hostname leaks XLOCK on EPERM: jailed root deadlocks host sysctl subsystem
sys/kern/kern_mib.c:217 |
β |
| DF-0185 |
Medium |
Uninitialized kernel stack memory leaked via acl_get_file/acl_get_fd
sys/kern/kern_acl.c:92 |
β |
| DF-0202 |
Medium |
Unthrottled kprintf log-flood DoS via umtx_sleep/wakeup on unmapped address
sys/kern/kern_umtx.c:150 |
β |
| DF-0207 |
Medium |
Memory leak in clist_alloc_cblocks: old c_data never freed on resize
sys/kern/tty_subr.c:61 |
β |
| DF-0234 |
Medium |
Signed-integer overflow in callout timer calc (min_period*hz/2) -> self-perpetuating CPU-burn or watchdog defeat
sys/kern/kern_wdog.c:94 |
β |
| DF-0236 |
Medium |
Driver callbacks (wdog_fn) invoked under global spinlock with interrupts disabled
sys/kern/kern_wdog.c:84 |
β |
| DF-0239 |
Medium |
Missing resume_kproc implementation: suspend permanently freezes kernel daemons
sys/kern/kern_kthread.c:216 |
β |
| DF-0245 |
Medium |
Per-cpu iowbytes counter underflow via thread migration accounting break
sys/kern/kern_iosched.c:79 |
β |
| DF-0246 |
Medium |
UAF: eventhandler dispatch traverses entry list without token while deregister frees entries
sys/kern/subr_eventhandler.c:114 |
β |
| DF-0266 |
Medium |
Uninitialized inflate window: kernel heap info leak via stale window data
sys/net/zlib.c:3706 |
β |
| DF-0269 |
Medium |
Stack buffer overflow in sppp_print_bytes: VLA sized len but hexncpy writes 3*len bytes
sys/net/sppp/if_spppsubr.c:5290 |
β |
| DF-0271 |
Medium |
NULL deref in bridge_input: unchecked bridge_lookup_member_if result (race with member deletion)
sys/net/bridge/if_bridge.c:2738 |
β |
| DF-0273 |
Medium |
Missing break between SIOCSIFDESCR and SIOCSIFFLAGS: fall-through reinterprets description length as interface flags
sys/net/if.c:2131 |
β |
| DF-0275 |
Medium |
Heap buffer overflow in WPA/RSN IE construction: variable-length IE written into fixed sizeof(ieee80211_ie_wpa)=100 slot
sys/netproto/802_11/wlan/ieee80211_output.c:1976 |
β |
| DF-0276 |
Medium |
Wrong-pointer kfree in DIOCADDADDR error path frees framework pointer instead of allocated pooladdr
sys/net/pf/pf_ioctl.c:2160 |
β |
| DF-0282 |
Medium |
Signed tx_cred overflow and OOB credit byte read in UIH reception
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2409 |
β |
| DF-0286 |
Medium |
Missing length validation in mesh action frame handler: OOB read of stale data
sys/netproto/802_11/wlan/ieee80211_mesh.c:2548 |
β |
| DF-0287 |
Medium |
Divide-by-zero kernel panic in mesh_airtime_calc via ni_txrate==0
sys/netproto/802_11/wlan/ieee80211_mesh.c:3366 |
β |
| DF-0289 |
Medium |
UAF/TOCTOU: mesh route pointers returned unreferenced, forward_to_gates drops lock mid-traversal
sys/netproto/802_11/wlan/ieee80211_mesh.c:230 |
β |
| DF-0296 |
Medium |
UAF/cross-node races: peer hooks/nodes dereferenced without reference or peer-token
sys/netgraph7/netgraph/ng_base.c:1092 |
β |
| DF-0301 |
Medium |
Missing replay protection on CARP advertisements: L2-adjacent DoS of failover
sys/netinet/ip_carp.c:1137 |
β |
| DF-0302 |
Medium |
Failover state machine in input path runs without synchronization: concurrent state corruption
sys/netinet/ip_carp.c:1108 |
β |
| DF-0303 |
Medium |
HMAC precomputed context torn-read race between config and input paths
sys/netinet/ip_carp.c:504 |
β |
| DF-0306 |
Medium |
UAF in add_bw_upcall: mfc pointer used after mroute_token released across blocking kmalloc
sys/net/ip_mroute/ip_mroute.c:2285 |
β |
| DF-0320 |
Medium |
Reorder buffer rxa_m[] mutated without dedicated lock: RX races timer flush and ADDBA re-init (double-free/UAF)
sys/netproto/802_11/wlan/ieee80211_ht.c:780 |
β |
| DF-0325 |
Medium |
Deadlock: callout_stop under pcb_lock while timeout callback requires pcb_lock
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap.c:2765 |
β |
| DF-0337 |
Medium |
tcp_pcblist sysctl raw-copies entire inpcb and tcpcb with kernel pointers to unprivileged users
sys/netinet/tcp_subr.c:1284 |
β |
| DF-0349 |
Medium |
Heap OOB read in PREQ processing when target count is 0: (ndest-1) wraps to SIZE_MAX
sys/netproto/802_11/wlan/ieee80211_hwmp.c:311 |
β |
| DF-0352 |
Medium |
RANN frame overwrites shared global ieee80211_hwmp_rannint without lock: remote timer DoS
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1971 |
β |
| DF-0354 |
Medium |
nd6_sysctl_prlist stack buffer over-read leaks kernel memory when router count exceeds buffer capacity
sys/netinet6/nd6.c:2238 |
β |
| DF-0355 |
Medium |
nd6_sysctl_drlist/prlist iterate defrouter/prefix lists without nd6_mtx: UAF race with RA processing
sys/netinet6/nd6.c:2168 |
β |
| DF-0365 |
Medium |
ieee80211_media_setup unbounded rate-set merge overflows stack buffer rs_rates[15]: 17 unique rates across 11a/b/g/HALF/QUARTER
sys/netproto/802_11/wlan/ieee80211.c:1564 |
β |
| DF-0366 |
Medium |
Lockless sc_count pre-check in lagg_start races with port destroy causing divide-by-zero panic
sys/net/lagg/if_lagg.c:1758 |
β |
| DF-0382 |
Medium |
config_red divides by (max_th-min_th) and max_th without zero check: kernel panic β same bug class as dummynet v1 unfixed
sys/net/dummynet3/ip_dummynet3.c:1351 |
β |
| DF-0388 |
Medium |
Kernel heap info leak via uninitialized rt_msghdr.rtm_inits in NET_RT_DUMP sysctl: no M_ZERO on buffer
sys/net/rtsock.c:1676 |
β |
| DF-0391 |
Medium |
pf_fragcache: m_dup NULL dereferenced before NULL check in m_adj argument: remote DoS under memory pressure with fragcrop
sys/net/pf/pf_norm.c:661 |
β |
| DF-0402 |
Medium |
Direct kernel dereference of user-controlled pointer in netmap_bdg_learning before copyin: panic or kernel info-leak
sys/net/netmap/netmap_vale.c:994 |
β |
| DF-0406 |
Medium |
in_delayed_cksum: unchecked m_pullup return leads to NULL pointer write panic
sys/netinet/ip_output.c:940 |
β |
| DF-0411 |
Medium |
Infinite loop in ng_parse_skip_value on unclosed quoted string inside brackets: kernel thread hang DoS
sys/netgraph7/netgraph/ng_parse.c:1651 |
β |
| DF-0418 |
Medium |
Unbounded default-router and prefix list growth from spoofed RAs: RA-flooding kernel memory exhaustion DoS
sys/netinet6/nd6_rtr.c:689 |
β |
| DF-0420 |
Medium |
Use-after-free in SCO reassembly buffer: sc_isoc_in_buffer retains dangling pointer after mbuf forwarded and realloc fails
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1103 |
β |
| DF-0423 |
Medium |
Stale reg_mif_num after MRT6_DEL_MIF: remote NULL-deref panic via PIM REGISTER to freed register mif
sys/netinet6/ip6_mroute.c:642 |
β |
| DF-0431 |
Medium |
Dead expire-scaling code: imported state expiry is always raw attacker value, enabling infinite-lifetime states
sys/net/pf/if_pfsync.c:402 |
β |
| DF-0436 |
Medium |
Heap OOB read + security-filter bypass via OGF=0/event=0: negative bitstr index into ng_btsocket_hci_raw_sec_filter
sys/netgraph7/bluetooth/socket/ng_btsocket_hci_raw.c:669 |
β |
| DF-0441 |
Medium |
Divide-by-zero kernel panic when ns_per_byte==0: CBQ class add/modify unconditionally divides by user-supplied value
sys/net/altq/altq_rmclass.c:237 |
β |
| DF-0445 |
Medium |
altq_etherclassify NULL-pointer dereference: mbuf chain walk advances to m_next without NULL check
sys/net/if_ethersubr.c:927 |
β |
| DF-0450 |
Medium |
OOB kernel heap read in ng_string_unparse via unbounded strlen on binary data without NUL terminator
sys/netgraph/netgraph/ng_parse.c:722 |
β |
| DF-0451 |
Medium |
OOB read in ng_fixedstring_unparse: known bufSize ignored, delegates to unbounded strlen
sys/netgraph/netgraph/ng_parse.c:785 |
β |
| DF-0454 |
Medium |
Uninitialized kernel stack info leak in RPN response: param_mask never initialized for 1-byte RPN command
sys/netbt/rfcomm_session.c:1227 |
β |
| DF-0458 |
Medium |
Heap over-read / info-leak / panic in L2CA_Ping: missing echo-data length validation
sys/netgraph7/bluetooth/l2cap/ng_l2cap_ulpi.c:1306 |
β |
| DF-0474 |
Medium |
Opcode iteration loop: F_LEN(cmd)==0 causes infinite loop hanging netisr thread
sys/net/ipfw3/ip_fw3.c:493 |
β |
| DF-0475 |
Medium |
act_ofs never validated: OOB pointer deref via ACTION_PTR during packet matching
sys/net/ipfw3/ip_fw3.c:520 |
β |
| DF-0476 |
Medium |
ip_fw3_register_module: strncpy bounded by strlen(src) not sizeof(dst): buffer overflow + missing NUL
sys/net/ipfw3/ip_fw3.c:180 |
β |
| DF-0477 |
Medium |
ip_fw3_ctl_get_modules: bcopy without checking strlen(module_str) <= sopt_valsize: buffer overflow
sys/net/ipfw3/ip_fw3.c:985 |
β |
| DF-0484 |
Medium |
SYN-cookie crypto state global unsynchronized across netisr CPUs: racy MD5_CTX + tcp_secret[] defeats SYN-flood mitigation
sys/netinet/tcp_syncache.c:1351 |
β |
| DF-0495 |
Medium |
rn_delete integer underflow: klen-head_off wraps to huge size_t when key sa_len < tree offset -> kernel panic
sys/net/radix.c:884 |
β |
| DF-0497 |
Medium |
TOCTOU use-after-free on rtentry in ng_btsocket_l2cap_raw_bind: releases rt_lock before storing pointer
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:690 |
β |
| DF-0502 |
Medium |
ng_fec_shutdown infinite loop when member interface destroyed: dangling pointer + unkillable loop
sys/netgraph7/ng_fec.c:1335 |
β |
| DF-0503 |
Medium |
ifnet locking-contract violation and stored-pointer UAF on member ifnets
sys/netgraph7/ng_fec.c:370 |
β |
| DF-0510 |
Medium |
Credential bypass via thread0 fallback in socket operations: root creds for all ksocket ops
sys/netgraph7/ksocket/ng_ksocket.c:546 |
β |
| DF-0513 |
Medium |
Rule-chain mutation raced with concurrent ip6_fw_chk: lock-free linked list + kfree after crit_exit -> UAF on SMP
sys/net/ip6fw/ip6_fw.c:856 |
β |
| DF-0518 |
Medium |
ICMP error generation (icmp_error) not rate-limited: reflection/amplification DoS
sys/netinet/ip_icmp.c:144 |
β |
| DF-0521 |
Medium |
PF_LOCAL sockaddr unparse: sun_len<pathoff underflow -> giant bcopy -> stack OOB write (DF-0509 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:321 |
β |
| DF-0522 |
Medium |
thread0 root-credential fallback for socket operations (DF-0510 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:559 |
β |
| DF-0526 |
Medium |
ng_fec_choose_port dereferences ether/IP headers without mbuf length validation: OOB read
sys/netgraph/fec/ng_fec.c:897 |
β |
| DF-0527 |
Medium |
ng_fec_choose_port NULL dereference when computed port index removed: reachable panic after port delete
sys/netgraph/fec/ng_fec.c:896 |
β |
| DF-0528 |
Medium |
ng_fec_rmnode infinite loop when member interface vanished: dangling ptr + unkillable loop
sys/netgraph/fec/ng_fec.c:1224 |
β |
| DF-0529 |
Medium |
Double-kfree/interior-pointer kfree in ng_fec_constructor error paths: heap corruption
sys/netgraph/fec/ng_fec.c:1085 |
β |
| DF-0533 |
Medium |
Unsynchronized sc->inq/outq between hard ISR and netgraph forward: ifqueue corruption / UAF
sys/netgraph7/bluetooth/drivers/bt3c/ng_bt3c_pccard.c:939 |
β |
| DF-0534 |
Medium |
Heap OOB read in ngc_send: ng_mesg buffer under-allocated, header fields read out of bounds
sys/netgraph7/socket/ng_socket.c:254 |
β |
| DF-0535 |
Medium |
Integer underflow in ngc_send path-length math: sg_len<2 -> bcopy with SIZE_MAX -> kernel heap smash
sys/netgraph7/socket/ng_socket.c:245 |
β |
| DF-0536 |
Medium |
Unprivileged kernel heap over-read via non-NUL-terminated sg_data in ng_connect_data
sys/netgraph7/socket/ng_socket.c:752 |
β |
| DF-0540 |
Medium |
Uninitialized cmd.ident sent in Command Reject: remote 1-byte kernel stack info leak
sys/netbt/l2cap_signal.c:70 |
β |
| DF-0547 |
Medium |
Ring cleanup trusts userspace-writable buf_idx: cross-adapter double-free / buffer aliasing
sys/net/netmap/netmap_mem2.c:995 |
β |
| DF-0554 |
Medium |
Missing min frame-length check + unsigned STEPBY underflow: kernel heap OOB read in LMI parser
sys/netgraph/lmi/ng_lmi.c:552 |
β |
| DF-0560 |
Medium |
hci_event_command_compl: reads status byte beyond asserted length -> short-event remote kernel panic
sys/netbt/hci_event.c:299 |
β |
| DF-0562 |
Medium |
STEPBY unsigned underflow via missing minimum length check (LMI_MIN_LENGTH defined never used) β ng7 twin of DF-0554
sys/netgraph7/lmi/ng_lmi.c:88 |
β |
| DF-0565 |
Medium |
Callout lifetime: ng_uncallout non-synchronizing + nglmi_shutdown omits ng_uncallout β ng7 twin of DF-0557
sys/netgraph7/lmi/ng_lmi.c:1053 |
β |
| DF-0566 |
Medium |
ACL reassembly want is uint16_t: overshoot wraps -> L2CAP RX stall + unbounded memory growth
sys/netbt/hci_link.c:421 |
β |
| DF-0571 |
Medium |
kernel panic on any non-TCP/UDP/ICMP packet hitting NAT rule
sys/net/ipfw3_nat/ip_fw3_nat.c:219 |
β |
| DF-0573 |
Medium |
Unvalidated ioc->id used as nats[] index: OOB read/write of pointer array
sys/net/ipfw3_nat/ip_fw3_nat.c:745 |
β |
| DF-0581 |
Medium |
ieee80211_setup_rates trusts attacker-controlled IE length byte: latent heap overflow of rs_rates[15]
sys/netproto/802_11/wlan/ieee80211_input.c:420 |
β |
| DF-0585 |
Medium |
TAPSIFINFO leaks the ifnet serializer on type mismatch (local DoS / kernel wedge)
sys/net/tap/if_tap.c:738 |
β |
| DF-0586 |
Medium |
Lockless global hci_pcb list allows use-after-free during concurrent socket teardown and packet tap
sys/netbt/hci_socket.c:87 |
β |
| DF-0588 |
Medium |
tunwrite leaks mbuf chain on unsupported address family (m_freem(m) vs m_freem(top))
sys/net/tun/if_tun.c:875 |
β |
| DF-0589 |
Medium |
sc->outq mbuf-queue race in ng_h4: IF_DEQUEUE in ng_h4_start (tty ctx) vs IF_DRAIN in disconnect/shutdown (netgraph ctx); NG_H4_LOCK is only per-CPU crit_enter
sys/netgraph7/bluetooth/drivers/h4/ng_h4.c:88 |
β |
| DF-0596 |
Medium |
Unsynchronized SMP race on xmitWin causes heap OOB write on timeSent[] in ng_pptpgre
sys/netgraph/pptpgre/ng_pptpgre.c:121 |
β |
| DF-0018 |
Low |
Duplicate DELETE for same DMSG msgid triggers KKASSERT panic (DoS)
sys/kern/kern_dmsg.c:1076 |
β |
| DF-0019 |
Low |
usched_bsd4.queue_checks accepts <=0 causing NULL-deref/panic in cache-coherent chooseproc
sys/kern/usched_bsd4.c:1483 |
β |
| DF-0020 |
Low |
ELF ABI-note descriptor read out of bounds (note_overflow ignores n_descsz)
sys/kern/imgact_elf.c:1700 |
β |
| DF-0021 |
Low |
Signed-int overflow in oversized kmalloc size reconstruction (*kup << PAGE_SHIFT)
sys/kern/kern_slaballoc.c:1202 |
β |
| DF-0022 |
Low |
PPS_IOC_KCBIND missing privilege check allows unprivileged kernel-PLL binding (NTP confusion)
sys/kern/kern_clock.c:1680 |
β |
| DF-0024 |
Low |
Heap overflow in linker_search_path() via over-long kldload module name
sys/kern/kern_linker.c:1458 |
β |
| DF-0025 |
Low |
Missing privilege check on sys_kldstat()/sys_kldsym() leaks kernel symbol and module addresses
sys/kern/kern_linker.c:940 |
β |
| DF-0026 |
Low |
Root-writable bioq_reorder_minor_interval used as modulus divisor without validation -> divide-by-zero panic
sys/kern/subr_disk.c:1325 |
β |
| DF-0027 |
Low |
wait4/wait6 leak uninitialized kernel stack via status, rusage/wrusage and siginfo on WNOHANG/WCONTINUED return paths
sys/kern/kern_exit.c:913 |
β |
| DF-0029 |
Low |
Unchecked copyin() in jrecord_data leaves stale kernel data in the journal stream
sys/kern/vfs_journal.c:1093 |
β |
| DF-0030 |
Low |
jrecord_write_path goto again can spin indefinitely under concurrent rename (local DoS)
sys/kern/vfs_journal.c:1251 |
β |
| DF-0031 |
Low |
pipe->open_count underflow on pipe_create partial failure leaks kernel KVA and pipe struct
sys/kern/sys_pipe.c:433 |
β |
| DF-0034 |
Low |
Uninitialized st_padding1 leaked to userspace via every stat syscall
sys/kern/vfs_vnops.c:852 |
β |
| DF-0038 |
Low |
journal_putpages UNDO records btoc(a_count) pages instead of a_count bytes (silent rollback corruption)
sys/kern/vfs_jops.c:955 |
β |
| DF-0040 |
Low |
Section-header index not bounds-checked against e_shnum in link_elf_obj_load_file (heap OOB read)
sys/kern/link_elf_obj.c:551 |
β |
| DF-0041 |
Low |
Unbounded st_name / sh_name offsets into symbol/section string tables (heap OOB read via strcmp)
sys/kern/link_elf_obj.c:304 |
β |
| DF-0042 |
Low |
Relocation r_offset never bounds-checked against target section size (OOB / wild kernel write)
sys/kern/link_elf_obj.c:940 |
β |
| DF-0046 |
Low |
Missing SEMVMX upper-bound in semop/semexit allows semval overflow, wrap, spurious wakeups, and rollback corruption
sys/kern/sysv_sem.c:848 |
β |
| DF-0050 |
Low |
msgctl(IPC_STAT) leaks kernel heap pointers (msg_first/msg_last) and uninitialized padding to any local user
sys/kern/sysv_msg.c:324 |
β |
| DF-0052 |
Low |
alst_leaf_alloc corrupts bm_bighint hint by mutating start before the bighint-decision comparison
sys/kern/subr_alist.c:443 |
β |
| DF-0054 |
Low |
Truncated prison-id sysctl node name in prison_sysctl_create (off-by-one in ksnprintf size)
sys/kern/kern_jail.c:993 |
β |
| DF-0057 |
Low |
Missing e_shentsize validation causes heap OOB read on shdr[] array
sys/kern/link_elf.c:590 |
β |
| DF-0058 |
Low |
Unbounded sh_link to symstrindex causes heap OOB read (DF-0040 analogue, worse: no check at all)
sys/kern/link_elf.c:601 |
β |
| DF-0059 |
Low |
Uninitialized segs[1]/segs[0] dereference when fewer than 2 PT_LOAD segments
sys/kern/link_elf.c:399 |
β |
| DF-0060 |
Low |
DT_HASH d_ptr dereferenced without bounds validation - wild kernel read in parse_dynamic
sys/kern/link_elf.c:240 |
β |
| DF-0061 |
Low |
Relocation r_offset never bounds-checked against module size (DF-0042 analogue, wild write)
sys/kern/link_elf.c:714 |
β |
| DF-0062 |
Low |
Unbounded st_name offsets into strtab (DF-0041 analogue, heap OOB read via strcmp)
sys/kern/link_elf.c:698 |
β |
| DF-0063 |
Low |
Hash-chain cycle in link_elf_lookup_symbol causes kernel infinite-loop DoS
sys/kern/link_elf.c:812 |
β |
| DF-0067 |
Low |
add_buffer_randomness_src passes full remaining length (bytes) instead of chunk size (n), defeating cross-CPU entropy splitting
sys/kern/kern_nrandom.c:650 |
β |
| DF-0071 |
Low |
Missing sign/upper-bound validation on vpcount before heap alloc + file read (negative->huge kmalloc M_WAITOK DoS)
sys/kern/kern_checkpoint.c:561 |
β |
| DF-0072 |
Low |
Missing sign/upper-bound validation on cfh_nfiles before heap alloc + file read (DoS; 32-bit integer-overflow heap OOB)
sys/kern/kern_checkpoint.c:596 |
β |
| DF-0076 |
Low |
soisconnected derefs head->so_accf based on inherited child SO_ACCEPTFILTER flag (NULL-deref/UAF race)
sys/kern/uipc_socket2.c:252 |
β |
| DF-0077 |
Low |
Uninitialized kernel stack bytes leaked via kern.ntp_pll.gettime sysctl (struct ntptimeval trailing padding)
sys/kern/kern_ntptime.c:205 |
β |
| DF-0080 |
Low |
MEMRANGE_SET ioctl bypasses securelevel (mem_ioctl never checks FWRITE flag)
sys/kern/kern_memio.c:521 |
β |
| DF-0084 |
Low |
Off-by-one OOB read in get_next_valid_apicid: array indexed before bound check in while condition
sys/kern/subr_cpu_topology.c:91 |
β |
| DF-0085 |
Low |
taskqgroup_drain_all uses wrong loop bound (ncpus instead of tqg_cnt) - latent UAF if API adopted
sys/kern/subr_gtaskqueue.c:806 |
β |
| DF-0088 |
Low |
No runtime validation in free_unrl against out-of-range/double-free (KASSERT-only, defense-in-depth)
sys/kern/subr_unit.c:556 |
β |
| DF-0089 |
Low |
Resource merge in release path ignores address contiguity - creates false spans across unmanaged gaps
sys/kern/subr_rman.c:560 |
β |
| DF-0090 |
Low |
rman_reserve_resource has no count==0 guard - unsigned underflow in range math corrupts resource list
sys/kern/subr_rman.c:205 |
β |
| DF-0093 |
Low |
Kernel heap pointer leaked to userspace via shmctl(IPC_STAT) shm_internal field + struct padding
sys/kern/sysv_shm.c:420 |
β |
| DF-0095 |
Low |
Per-process shmmap_state sized at alloc-time shmseg but all loops re-read LIVE root-writable shminfo.shmseg - OOB when raised
sys/kern/sysv_shm.c:284 |
β |
| DF-0096 |
Low |
sglist_join has reversed bcopy arguments - joins produce stale/garbage segments (dead code, identical to upstream FreeBSD)
sys/kern/subr_sglist.c:583 |
β |
| DF-0097 |
Low |
sglist_consume_uio truncates iov_len (size_t) to int - signedness confusion / data drop (dead code)
sys/kern/subr_sglist.c:383 |
β |
| DF-0099 |
Low |
Off-by-one heap NUL-byte overflow in vfs_mountroot_try via ksscanf width/buffer-size mismatch
sys/kern/vfs_conf.c:419 |
β |
| DF-0101 |
Low |
struct ktr_header written to trace file leaks kernel pointer (ktr_buf) and uninitialized padding
sys/kern/kern_ktrace.c:611 |
β |
| DF-0102 |
Low |
Uninitialized payload fields (ktr_sysret.ktr_eosys, ktr_syscall padding) written to trace file
sys/kern/kern_ktrace.c:139 |
β |
| DF-0105 |
Low |
DT_CALLOUT_ARMED set before callout_reset creates enqueue/cancel race (panic or tq_callouts underflow + spurious UAF)
sys/kern/subr_taskqueue.c:355 |
β |
| DF-0108 |
Low |
Unvalidated d_secsize in writedisklabel enables oversized I/O transfer
sys/kern/subr_disklabel32.c:336 |
β |
| DF-0111 |
Low |
CT_CHAR (%c) non-suppress bcopy reads width bytes without checking inr -> OOB read
sys/kern/subr_scanf.c:307 |
β |
| DF-0113 |
Low |
PT_DETACH reparents tracee to recycled p_oppid PID
sys/kern/sys_process.c:350 |
β |
| DF-0118 |
Low |
Memory leak of dios_io/dios_open on kdmsg state teardown (no destructor for state->any.any)
sys/kern/subr_diskiocom.c:637 |
β |
| DF-0120 |
Low |
Unprivileged read of all kernel env variables (boot/loader secrets)
sys/kern/kern_environment.c:135 |
β |
| DF-0124 |
Low |
Unsynchronized open-mode bookkeeping in cnopen/cnclose (D_MPSAFE)
sys/kern/tty_cons.c:368 |
β |
| DF-0125 |
Low |
sysctl_kern_consmute races cnread/cnwrite/cnioctl forwarding (no lock)
sys/kern/tty_cons.c:257 |
β |
| DF-0128 |
Low |
fp_vpopen NULL deref on td->td_proc when called from pure thread context
sys/kern/kern_fp.c:165 |
β |
| DF-0129 |
Low |
fp_mmap dereferences fp->f_data without NULL check after f_type check
sys/kern/kern_fp.c:472 |
β |
| DF-0130 |
Low |
fp_read all=1 mode can spin indefinitely on persistent EINTR/ERESTART
sys/kern/kern_fp.c:271 |
β |
| DF-0132 |
Low |
Unvalidated sensor type as array index: OOB write in sensor_attach/detach
sys/kern/kern_sensors.c:143 |
β |
| DF-0133 |
Low |
Algorithmic-complexity DoS in EBR recursion (tetranacci explosion)
sys/kern/subr_diskmbr.c:427 |
β |
| DF-0135 |
Low |
Integer overflow in l64_setdisklabel partition bounds check: p_boffset+p_bsize wraparound bypasses ENOSPC
sys/kern/subr_disklabel64.c:304 |
β |
| DF-0138 |
Low |
Cross-jail USER varsym namespace sharing (per-UID not per-jail)
sys/kern/kern_varsym.c:259 |
β |
| DF-0140 |
Low |
Unchecked queue argument -> OOB write on wc_blocked[queue]
sys/kern/subr_sleepqueue.c:266 |
β |
| DF-0146 |
Low |
prop_dictionary/prop_array leaks on several sys_vquotactl paths
sys/kern/vfs_quota.c:374 |
β |
| DF-0147 |
Low |
Signed/unsigned accounting: int64_t delta added to uint64_t ac_bytes can wrap
sys/kern/vfs_quota.c:160 |
β |
| DF-0148 |
Low |
TOCTOU: vq_write_ok check and vfs_stdaccount commit are separate critical sections
sys/kern/vfs_quota.c:443 |
β |
| DF-0150 |
Low |
Unbounded strlen/strcmp on TLV string fields ignores declared length
sys/kern/subr_module.c:69 |
β |
| DF-0151 |
Low |
Fixed-size reads in preload_modinfo_value ignore field length
sys/kern/subr_module.c:374 |
β |
| DF-0152 |
Low |
preload_dump_internal termination check weaker than other walkers; huge len advances pointer
sys/kern/subr_module.c:410 |
β |
| DF-0156 |
Low |
be_uuid_dec decodes time_mid with wrong byte order (le16dec instead of be16dec)
sys/kern/kern_uuid.c:361 |
β |
| DF-0157 |
Low |
xio_uio_copy missing upper-bound check; KKASSERT(bytes>=0) is tautology on unsigned size_t
sys/kern/kern_xio.c:196 |
β |
| DF-0158 |
Low |
Signed uoffset/bytes in copy routines let negative values bypass EFAULT guard
sys/kern/kern_xio.c:235 |
β |
| DF-0161 |
Low |
m_tag_copy_chain reverses tag order: tprev=t misplaced inside else branch
sys/kern/uipc_mbuf2.c:376 |
β |
| DF-0163 |
Low |
module_register_init runs lookup/register/MOD_EVENT without mod_token
sys/kern/kern_module.c:89 |
β |
| DF-0166 |
Low |
syscap_set INPARENT: uid/prison checked without p_token before capability mutation
sys/kern/kern_caps.c:164 |
β |
| DF-0167 |
Low |
syscap_get INPARENT: no same-uid/same-prison authorization: info leak of capability config
sys/kern/kern_caps.c:95 |
β |
| DF-0170 |
Low |
Ignored copyin return feeds uninitialized stack sched_param into ksched
sys/kern/kern_p1003_1b.c:202 |
β |
| DF-0173 |
Low |
Divide-by-zero panic via kern.hz=0 loader tunable
sys/kern/subr_param.c:200 |
β |
| DF-0174 |
Low |
Integer overflow in ncallout via unbounded kern.maxfiles
sys/kern/subr_param.c:282 |
β |
| DF-0177 |
Low |
cttykqfilter forwards knote to ttyvp with no token and no reference
sys/kern/tty_tty.c:284 |
β |
| DF-0178 |
Low |
cttyvp() snapshot read of s_ttyvp unsynchronized vs proc_token-held writers
sys/kern/tty_tty.c:74 |
β |
| DF-0179 |
Low |
Unconditional kernel address leak via kern.proc sysctl (KASLR bypass)
sys/kern/kern_kinfo.c:128 |
β |
| DF-0182 |
Low |
Uninitialized kernel stack memory disclosed via vm.resident sysctl
sys/kern/imgact_resident.c:82 |
β |
| DF-0183 |
Low |
UAF of tsleep wait channel when racing unregister of in-flight resident image
sys/kern/imgact_resident.c:291 |
β |
| DF-0186 |
Low |
vacl_delete silently ignores user-supplied ACL type, always deletes ACL_TYPE_DEFAULT
sys/kern/kern_acl.c:107 |
β |
| DF-0187 |
Low |
vacl_get_acl/aclcheck call VOPs without vnode lock, inconsistent with set/delete
sys/kern/kern_acl.c:88 |
β |
| DF-0189 |
Low |
TOCTOU race in /dev/klog single-open enforcement
sys/kern/subr_log.c:98 |
β |
| DF-0190 |
Low |
logopen performs no jail check beyond devfs file mode
sys/kern/subr_log.c:92 |
β |
| DF-0191 |
Low |
Divide-by-zero panic via log_wakeups_per_second=0 sysctl
sys/kern/subr_log.c:87 |
β |
| DF-0193 |
Low |
vfs_vptofh reads vp->v_mount twice without snapshot/NULL-check
sys/kern/vfs_vfsops.c:266 |
β |
| DF-0196 |
Low |
STAILQ_REMOVE in devstat_remove_entry derefs NULL if node already absent
sys/kern/subr_devstat.c:139 |
β |
| DF-0198 |
Low |
tag_types[tag_type] indexed without bounds check
sys/kern/subr_devstat.c:211 |
β |
| DF-0199 |
Low |
Day-of-month 0 causes unsigned underflow in fattime2timespec (crafted FAT image)
sys/kern/subr_fattime.c:233 |
β |
| DF-0200 |
Low |
Negative tv_sec bypasses 1980-truncate guard in timespec2fattime
sys/kern/subr_fattime.c:150 |
β |
| DF-0203 |
Low |
Sentinel -1 collision: fuwordadd32 fault indistinguishable from mutex value -1
sys/kern/kern_umtx.c:146 |
β |
| DF-0204 |
Low |
umtx_wakeup ignores count argument: over-wakeup / cross-process thundering herd
sys/kern/kern_umtx.c:297 |
β |
| DF-0208 |
Low |
No validation of negative length in clist_qtob/btoq/ndflush
sys/kern/tty_subr.c:127 |
β |
| DF-0209 |
Low |
clist_nextc trusts caller cp without validating within live ring window
sys/kern/tty_subr.c:229 |
β |
| DF-0212 |
Low |
lwkt_serialize_handler_try omits post-acquire re-check of handler-enabled bit
sys/kern/lwkt_serialize.c:189 |
β |
| DF-0216 |
Low |
sysctl_kcollect_data copies past user buffer (unsigned underflow in bounds check)
sys/kern/kern_collect.c:235 |
β |
| DF-0217 |
Low |
sysctl reads kcollect_ary outside lock racing collection thread
sys/kern/kern_collect.c:233 |
β |
| DF-0221 |
Low |
Signed 1<<31 overflow disables Fortuna pool 31 from reseed schedule
sys/kern/subr_csprng.c:203 |
β |
| DF-0223 |
Low |
Missing sched_priority bounds check in SCHED_OTHER + signed-overflow UB in p4prio_to_rtpprio
sys/kern/kern_sched.c:181 |
β |
| DF-0224 |
Low |
ksched_getparam leaves sched_priority uninitialized for non-RT procs -> kernel stack info leak
sys/kern/kern_sched.c:142 |
β |
| DF-0228 |
Low |
hdr_lba_table (uint64) read via le32toh() -> silent 64-to-32 truncation
sys/kern/subr_diskgpt.c:133 |
β |
| DF-0229 |
Low |
uint32 wraparound in table_lba+table_blocks location bounds-check
sys/kern/subr_diskgpt.c:139 |
β |
| DF-0232 |
Low |
SIOCSPGRP invokes fsetown(-INT_MIN) -> signed-overflow UB on attacker-controlled value
sys/kern/sys_socket.c:164 |
β |
| DF-0233 |
Low |
Lockless SLIST traversal of domains list races with crit_enter-only writer
sys/kern/uipc_domain.c:137 |
β |
| DF-0235 |
Low |
No bounds validation on watchdog period (negative/>period_max accepted)
sys/kern/kern_wdog.c:114 |
β |
| DF-0237 |
Low |
TOCTOU on wdog_auto_enable in wdog_ioctl
sys/kern/kern_wdog.c:191 |
β |
| DF-0238 |
Low |
Callout overwrites sysctl-visible wdog_auto_period with driver-reported min
sys/kern/kern_wdog.c:108 |
β |
| DF-0240 |
Low |
suspend_kproc swallows timeout: always returns 0 even when daemon did not stop
sys/kern/kern_kthread.c:195 |
β |
| DF-0241 |
Low |
kproc_start dereferences thread pointer before checking kthread_create error
sys/kern/kern_kthread.c:176 |
β |
| DF-0248 |
Low |
Lockless SLIST traversal in accept_filt_get races with crit_enter-only add/del -> UAF
sys/kern/uipc_accf.c:99 |
β |
| DF-0249 |
Low |
Driver b_resid>b_bcount underflows iolen to huge size_t: oversized copyout leaks kernel heap
sys/kern/kern_physio.c:112 |
β |
| DF-0253 |
Low |
Namecache lock+ref leaked on nc_vp==NULL error path (missing nlookup_done)
sys/kern/vfs_synth.c:82 |
β |
| DF-0254 |
Low |
Namecache reference leaked on every successful call (cache_drop never called)
sys/kern/vfs_synth.c:86 |
β |
| DF-0256 |
Low |
Kernel pointer info leak via kern.file sysctl (f_file, f_data) to unprivileged users
sys/kern/subr_kcore.c:67 |
β |
| DF-0260 |
Low |
tcpopts_match/ipopts_match read options beyond m_pullup-guaranteed contiguous region
sys/net/ipfw/ip_fw2.c:1296 |
β |
| DF-0261 |
Low |
act_ofs copied from user input without validation against cmd_len -> heap OOB read
sys/net/ipfw/ip_fw2.c:4515 |
β |
| DF-0262 |
Low |
IPv6 NAT destination-translation corrupts source address (copy-paste bug)
sys/net/pf/pf.c:3896 |
β |
| DF-0263 |
Low |
ICMP-error NAT for other protocol corrupts inner source (copy-paste bug)
sys/net/pf/pf.c:5732 |
β |
| DF-0264 |
Low |
Unsigned wraparound in p_len when TCP th_off exceeds actual header
sys/net/pf/pf.c:6623 |
β |
| DF-0267 |
Low |
Race condition in fixed Huffman table initialization
sys/net/zlib.c:4496 |
β |
| DF-0268 |
Low |
No decompression bomb (zip bomb) protection
sys/net/zlib.c:3209 |
β |
| DF-0270 |
Low |
OOB read in PAP ACK/NAK debug: wrong bound len+4 should be len-4
sys/net/sppp/if_spppsubr.c:4390 |
β |
| DF-0274 |
Low |
SIOCADDMULTI trusts user sa_len for heap alloc and bcopy without bounds check
sys/net/if.c:2327 |
β |
| DF-0277 |
Low |
Kernel pointer leak via DIOCGETRULE: bcopy of pf_rule exposes kif/anchor/rpool.cur/skip[].ptr
sys/net/pf/pf_ioctl.c:1336 |
β |
| DF-0278 |
Low |
Kernel pointer leak via DIOCGETADDR: bcopy of pf_pooladdr exposes pfi_kif*
sys/net/pf/pf_ioctl.c:2220 |
β |
| DF-0279 |
Low |
Kernel pointer leak via DIOCGETALTQ: bcopy of pf_altq exposes altq_disc
sys/net/pf/pf_ioctl.c:2088 |
β |
| DF-0280 |
Low |
Integer overflow in ptr_array allocation in pf_setup_pfsync_matching (32-bit only theoretical)
sys/net/pf/pf_ioctl.c:942 |
β |
| DF-0283 |
Low |
Unconditional kernel panic if mbuf chain ends with zero-length mbuf
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:1956 |
β |
| DF-0284 |
Low |
Missing per-command payload bounds checks in MCC handlers (OOB read)
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2521 |
β |
| DF-0288 |
Low |
OOB read in mesh peering action: peer_linkid/peer_rcode decoded before length check
sys/netproto/802_11/wlan/ieee80211_mesh.c:2174 |
β |
| DF-0290 |
Low |
GANN sequence comparison not wrap-safe (raw <= on uint32)
sys/netproto/802_11/wlan/ieee80211_mesh.c:2649 |
β |
| DF-0292 |
Low |
Missing privilege check on SIOCG80211 (get path): unpriv info disclosure
sys/netproto/802_11/wlan/ieee80211_ioctl.c:3467 |
β |
| DF-0293 |
Low |
OOB heap read in setwparsnie during WPA/RSN app-IE split
sys/netproto/802_11/wlan/ieee80211_ioctl.c:2319 |
β |
| DF-0294 |
Low |
KASSERT panic/uint16 truncation in get_scan_result from remote IE length
sys/netproto/802_11/wlan/ieee80211_ioctl.c:280 |
β |
| DF-0295 |
Low |
UAF race in setappie: non-atomic pointer swap/free vs concurrent beacon/IE readers
sys/netproto/802_11/wlan/ieee80211_ioctl.c:2272 |
β |
| DF-0297 |
Low |
1-byte heap OOB read in ng_name_node name-length validation
sys/netgraph7/netgraph/ng_base.c:817 |
β |
| DF-0298 |
Low |
ng_type->refs refcount mutated without typelist lock
sys/netgraph7/netgraph/ng_base.c:636 |
β |
| DF-0304 |
Low |
CARP shared secret key material not zeroed before kfree
sys/netinet/ip_carp.c:307 |
β |
| DF-0305 |
Low |
HMAC comparison uses non-constant-time bcmp: timing side-channel
sys/netinet/ip_carp.c:581 |
β |
| DF-0307 |
Low |
Kernel heap/code pointer leak via SYSCTL_OPAQUE of mfctable and viftable to unprivileged users
sys/net/ip_mroute/ip_mroute.c:90 |
β |
| DF-0308 |
Low |
X_ipip_input reads viftable/last_encap_vif without mroute_token: race with vif teardown
sys/net/ip_mroute/ip_mroute.c:1709 |
β |
| DF-0309 |
Low |
Unbounded pending NOCACHE upcall entries: remote memory-exhaustion DoS when mrouter active
sys/net/ip_mroute/ip_mroute.c:1266 |
β |
| DF-0310 |
Low |
Non-atomic increment of global fragment ID (ip6_id): data race / predictable fragment IDs
sys/netinet6/ip6_output.c:753 |
β |
| DF-0311 |
Low |
Multicast setsockopt discards copyin error: partially-initialized mbuf fed to ip6_setmoptions
sys/netinet6/ip6_output.c:1496 |
β |
| DF-0312 |
Low |
Unchecked ifindex2ifnet[] indexing from embedded address scope-id on loopback output
sys/netinet6/ip6_output.c:577 |
β |
| DF-0316 |
Low |
OOB read: wg_output dereferences 4 bytes from mbuf without length check in BPF AF_UNSPEC path
sys/net/wg/if_wg.c:2289 |
β |
| DF-0317 |
Low |
Unsynchronized global static shared across all WireGuard interfaces in wg_is_underload
sys/net/wg/if_wg.c:1577 |
β |
| DF-0321 |
Low |
Uninitialized stack read of maxunequalmcs when HTC_TXUNEQUAL set but ic_txstream<2
sys/netproto/802_11/wlan/ieee80211_ht.c:1643 |
β |
| DF-0322 |
Low |
No validation of tid/baw before indexing ni_rx_ampdu[tid] and setting rxa_wnd
sys/netproto/802_11/wlan/ieee80211_ht.c:566 |
β |
| DF-0323 |
Low |
ampdu_dispatch re-enters ieee80211_input while iterating rxa_m[] (re-entrancy)
sys/netproto/802_11/wlan/ieee80211_ht.c:616 |
β |
| DF-0327 |
Low |
ieee80211_ies_expand walks IE blob with no length validation: OOB read
sys/netproto/802_11/wlan/ieee80211_node.c:982 |
β |
| DF-0328 |
Low |
node_getmimoinfo loops on untrusted ni_mimo_chains without clamping to array size
sys/netproto/802_11/wlan/ieee80211_node.c:1164 |
β |
| DF-0329 |
Low |
icmp6_redirect_output leaks uninitialized mbuf heap bytes in padded redirected-header option
sys/netinet6/icmp6.c:2560 |
β |
| DF-0330 |
Low |
Global mutable pointer used as qsort comparator state: latent cross-bundle race
sys/netgraph7/ppp/ng_ppp.c:471 |
β |
| DF-0331 |
Low |
Unbounded kprintf on fragment-queue exhaustion: remote log-flood DoS
sys/netgraph7/ppp/ng_ppp.c:1519 |
β |
| DF-0333 |
Low |
Kernel pointer leak to unprivileged users via in_pcblist_range xinpcb dump
sys/netinet/in_pcb.c:2409 |
β |
| DF-0334 |
Low |
Divide-by-zero panic in ephemeral port allocation on degenerate sysctl port range
sys/netinet/in_pcb.c:424 |
β |
| DF-0336 |
Low |
tcp6_getcred hands live cred pointer to blocking copyout (UAF window) unlike IPv4 path
sys/netinet/tcp_subr.c:1366 |
β |
| DF-0338 |
Low |
tcp_mtudisc accepts forged ICMP MTU small enough to drive t_maxseg negative
sys/netinet/tcp_subr.c:1783 |
β |
| DF-0340 |
Low |
in6_ifremloop leaks rtentry refcount when matched route is not loopback host route
sys/netinet6/in6.c:318 |
β |
| DF-0341 |
Low |
in6_lifaddr_ioctl SIOCDLIFADDR copies prefix mask into ifra_dstaddr instead of ifra_prefixmask
sys/netinet6/in6.c:1606 |
β |
| DF-0344 |
Low |
No re-validation of m_len>=hlen after pfil hook rewrite/dummynet re-entry
sys/netinet/ip_input.c:631 |
β |
| DF-0346 |
Low |
Uninitialized stack read of rsnparms on WPS/TSN assoc path bypasses HT-cipher downgrade protection
sys/netproto/802_11/wlan/ieee80211_hostap.c:1934 |
β |
| DF-0347 |
Low |
Undefined behavior: 1<<32 in WPA/RSN cipher selector parsing for unknown OUI
sys/netproto/802_11/wlan/ieee80211_hostap.c:1198 |
β |
| DF-0353 |
Low |
hwmp_recv_perr switches on dest_flags instead of dest_rcode: PERR never actioned
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1768 |
β |
| DF-0356 |
Low |
nd6_resolve ln_hold mbuf accessed without nd6_mtx: UAF race with nd6_timer
sys/netinet6/nd6.c:2078 |
β |
| DF-0358 |
Low |
Sign error in netmap_grab_packets: computes cur+reserved instead of cur-reserved, forwarding wrong slots to host stack
sys/net/netmap/netmap.c:736 |
β |
| DF-0359 |
Low |
Unguarded uint32 subtraction can underflow nr_hwavail causing self-inflicted ring-state corruption
sys/net/netmap/netmap.c:906 |
β |
| DF-0360 |
Low |
nm_dump_buf writes unbounded hex dump into fixed 8 KiB static buffer _dst
sys/net/netmap/netmap.c:322 |
β |
| DF-0361 |
Low |
Default netmap ioctl passthrough fabricates zeroed stack struct socket passed to ifioctl
sys/net/netmap/netmap.c:1488 |
β |
| DF-0363 |
Low |
ieee80211_dump_pkt reads WEP/QoS/4-addr fields without bounds-checking against frame length: OOB read when debug enabled
sys/netproto/802_11/wlan/ieee80211_proto.c:591 |
β |
| DF-0367 |
Low |
lagg_input dereferences ifp->if_lagg unlocked: UAF during concurrent port detach
sys/net/lagg/if_lagg.c:1442 |
β |
| DF-0370 |
Low |
Marker PDU reflection without rate-limiting or request-address validation: on-link amplification DoS
sys/net/lagg/ieee8023ad_lacp.c:1911 |
β |
| DF-0371 |
Low |
Unlocked memcmp of lp_marker before LACP_LOCK: torn-read data race with lacp_xmit_marker
sys/net/lagg/ieee8023ad_lacp.c:1934 |
β |
| DF-0373 |
Low |
delete_pipe uses wrong constant DN_NR_HASH_MAX(16) instead of DN_PIPE_NR_MAX(65536): pipes 17-65536 permanently undeletable
sys/net/dummynet/ip_dummynet.c:1654 |
β |
| DF-0374 |
Low |
config_red divides by (max_th-min_th) and max_th without zero/negative check: kernel panic via setsockopt
sys/net/dummynet/ip_dummynet.c:1346 |
β |
| DF-0375 |
Low |
red_drops divides by fs->lookup_step taken verbatim from user config: panic when lookup_step==0
sys/net/dummynet/ip_dummynet.c:885 |
β |
| DF-0376 |
Low |
Negative qsize bypasses queue-size limit via signed/unsigned comparison: unbounded mbuf accumulation / OOM
sys/net/dummynet/ip_dummynet.c:1437 |
β |
| DF-0379 |
Low |
NGM_BINARY2ASCII heap OOB read via ng_unparse: arglen not validated against mesgType/respType struct size
sys/netgraph/netgraph/ng_base.c:1505 |
β |
| DF-0380 |
Low |
Non-atomic refcount --node->refs/--hook->refs under crit_enter only: cross-CPU UAF/double-free race
sys/netgraph/netgraph/ng_base.c:473 |
β |
| DF-0381 |
Low |
NGM_LISTHOOKS dereferences hook->peer without lock or ref: TOCTOU NULL-deref/UAF vs concurrent disconnect
sys/netgraph/netgraph/ng_base.c:1374 |
β |
| DF-0383 |
Low |
SET_TICKS computes len*8*dn_hz as signed int: overflow for jumbo at high dn_hz β same as dummynet v1 unfixed
sys/net/dummynet3/ip_dummynet3.c:450 |
β |
| DF-0386 |
Low |
ng_ppp_frag_checkstale sequence tracking diverges after gaps: stale-packet delivery suppressed
sys/netgraph/ppp/ng_ppp.c:1384 |
β |
| DF-0387 |
Low |
No MRRU enforcement on MP fragment reassembly: peer can assemble oversized PDUs beyond negotiated MRRU
sys/netgraph/ppp/ng_ppp.c:1203 |
β |
| DF-0389 |
Low |
Sockaddr padding not zeroed in rt_msg_buffer/rt_msg_mbuf: 1-7 bytes kernel memory leak per sockaddr
sys/net/rtsock.c:1140 |
β |
| DF-0390 |
Low |
rt_xaddrs accepts sockaddrs with sa_len below _SA_MINSIZE: inconsistent with RO_MISSFILTER validation
sys/net/rtsock.c:1010 |
β |
| DF-0392 |
Low |
Fragment overlap trim uses non-8-aligned shifts for last-fragment overlaps: inconsistent reassembly metadata
sys/net/pf/pf_norm.c:412 |
β |
| DF-0394 |
Low |
SSID/rates/xrates copies rely solely on upstream parse_beacon validation: KASSERT is no-op on production kernels
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:282 |
β |
| DF-0395 |
Low |
sta_lookup returns entry with table lock released: callers dereference unlocked TOCTOU use-after-free window
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:1283 |
β |
| DF-0396 |
Low |
sta_iterate drops table lock across user callback: entry can be freed concurrently use-after-free
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:1413 |
β |
| DF-0397 |
Low |
rt_setshims: unchecked R_Malloc (M_NULLOK) leads to NULL-pointer-write panic via bcopy to NULL
sys/net/route.c:1374 |
β |
| DF-0399 |
Low |
rtredirect_oncpu ignores rt_setgate return: routes redirect that failed or self-targets
sys/net/route.c:421 |
β |
| DF-0400 |
Low |
rt_fixchange indexes mask bytes by key length without verifying mask size: latent OOB read
sys/net/route.c:1130 |
β |
| DF-0403 |
Low |
Unvalidated dst_ring from custom lookup causes OOB index into dst_ents array
sys/net/netmap/netmap_vale.c:1162 |
β |
| DF-0404 |
Low |
Potential OOB ring access in netmap_bwrap_register for NICs with asymmetric TX/RX ring counts
sys/net/netmap/netmap_vale.c:1699 |
β |
| DF-0407 |
Low |
setsockopt(IP_OPTIONS) overwrites copyin error: parses stale mbuf data as IP options on copyin failure
sys/netinet/ip_output.c:1097 |
β |
| DF-0412 |
Low |
Kernel heap OOB read in ng_string_unparse via unbounded strlen on binary data without NUL terminator
sys/netgraph7/netgraph/ng_parse.c:747 |
β |
| DF-0415 |
Low |
Signed integer overflow in keepalive t_maxidle: t_keepintvl*t_keepcnt exceeds INT_MAX at high hz
sys/netinet/tcp_usrreq.c:1644 |
β |
| DF-0419 |
Low |
nd6_ra_input mutates per-interface ND timing state (reachable/retrans/chlim/linkmtu) without nd6_mtx: data race
sys/netinet6/nd6_rtr.c:272 |
β |
| DF-0421 |
Low |
ng_ubt_rcvdata calls panic() on malformed HCI frames from netgraph hook: local DoS
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1755 |
β |
| DF-0422 |
Low |
Missing validation of queue length in NGM_UBT_NODE_SET_QLEN: negative qlen -> uint32 wrap to 0xFFFFFFFF unbounded queuing
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1625 |
β |
| DF-0424 |
Low |
Unvalidated mf6cc_parent stored in MFC: OOB read in ip6_mdq debug path when parent >= MAXMIFS(64)
sys/netinet6/ip6_mroute.c:751 |
β |
| DF-0425 |
Low |
MRT6 setsockopt handlers cast mtod() without verifying m_len against struct size: reads uninitialized mbuf data
sys/netinet6/ip6_mroute.c:277 |
β |
| DF-0426 |
Low |
MFC table protected only by crit_enter (local-CPU) not token/lock: cross-CPU UAF race
sys/netinet6/ip6_mroute.c:359 |
β |
| DF-0432 |
Low |
Crafted PFSYNC_ACT_BUS endtime prematurely marks pfsync_sync_ok: HA-status spoofing
sys/net/pf/if_pfsync.c:950 |
β |
| DF-0433 |
Low |
bpf_mtap_hdr submits partially-initialized stack mbuf: bpf_mtap reads uninitialized m_pkthdr.rcvif
sys/net/bpf.c:1347 |
β |
| DF-0434 |
Low |
bpf_filter_read (knote f_event) reads bd_* state and re-arms callout without bpf_token: race
sys/net/bpf.c:1206 |
β |
| DF-0435 |
Low |
bpf_movein IEEE80211_RADIO path: ibp_len from user packet drives link-header copy without proper mbuf bounds check
sys/net/bpf.c:264 |
β |
| DF-0437 |
Low |
Receive-path filter dereferences mbuf data without m_pullup: OOB read within mbuf cluster on short first mbuf
sys/netgraph7/bluetooth/socket/ng_btsocket_hci_raw.c:474 |
β |
| DF-0438 |
Low |
Kernel stack info-leak via uninitialized redstats[3] array in hfsc_getqstats copyout
sys/net/altq/altq_hfsc.c:293 |
β |
| DF-0439 |
Low |
hfsc_dequeue panic() on NULL from hfsc_getq: kernel-panic DoS if backlogged class queue drains underneath scheduler
sys/net/altq/altq_hfsc.c:827 |
β |
| DF-0442 |
Low |
rmc_init stores user-driven maxqueued_ without validation: div-by-zero or heap OOB via fixed-size array modulus
sys/net/altq/altq_rmclass.c:680 |
β |
| DF-0443 |
Low |
Integer overflow in scaled scheduler parameter math: maxidle/offtime/pkttime products truncate to 32-bit int
sys/net/altq/altq_rmclass.c:248 |
β |
| DF-0446 |
Low |
SIOCSIFMTU missing lower-bound validation: ifr_mtu=0 or negative accepted, corrupts downstream MSS/fragmentation math
sys/net/if_ethersubr.c:715 |
β |
| DF-0455 |
Low |
MCC multi-byte length decode reverses octet ordering: interoperability bug for MCC frames >= 128 bytes
sys/netbt/rfcomm_session.c:1027 |
β |
| DF-0456 |
Low |
NULL deref in rfcomm_session_complete: credit NULL check under #ifdef DIAGNOSTIC only, no guard on production
sys/netbt/rfcomm_session.c:446 |
β |
| DF-0462 |
Low |
bzero targets wrong field (&conf not &stats) with wrong size (session_stats=32 not sess_config=8): 24-byte intra-struct overflow
sys/netgraph7/l2tp/ng_l2tp.c:748 |
β |
| DF-0465 |
Low |
Handshake state irrevocably corrupted when noise_begin_session kmalloc(M_NOWAIT) fails
sys/net/wg/wg_noise.c:1188 |
β |
| DF-0468 |
Low |
ip6_savecontrol ext-header walk has no nest limit (self-flagged by code comment)
sys/netinet6/ip6_input.c:1214 |
β |
| DF-0469 |
Low |
ip6_get_prevhdr dereferences ip6e without validating len against m_len: fragile implicit contract
sys/netinet6/ip6_input.c:1418 |
β |
| DF-0478 |
Low |
Rule set field not validated: 1<<set with set>=32 is UB enabling rule-set bypass
sys/net/ipfw3/ip_fw3.c:487 |
β |
| DF-0479 |
Low |
ip_fw3_ctl_delete_rule: unchecked direct pointer deref of sopt_val without size validation
sys/net/ipfw3/ip_fw3.c:850 |
β |
| DF-0480 |
Low |
TCP-MD5 signature option construction overflows 40-byte opt[] stack buffer (disabled by default)
sys/netinet/tcp_output.c:779 |
β |
| DF-0481 |
Low |
Integer overflow in root path cost comparison allows topology manipulation via crafted BPDU
sys/net/bridge/bridgestp.c:513 |
β |
| DF-0482 |
Low |
sc_topology_change_time never initialized: premature TC timer expiry defeats topology change notification
sys/net/bridge/bridgestp.c:1465 |
β |
| DF-0485 |
Low |
IPv6 syncache hash uses only 64/128 address bits with 32-bit secret: attacker-guaranteed bucket collisions
sys/netinet/tcp_syncache.c:157 |
β |
| DF-0486 |
Low |
syncache_insert dereferences possibly-uninitialized sc2 in cache-overflow path when cachelimit=0
sys/netinet/tcp_syncache.c:359 |
β |
| DF-0487 |
Low |
sc_flags assign instead of OR wipes SCF_HASH and negotiated-option flags on TF_NOOPT listener
sys/netinet/tcp_syncache.c:1102 |
β |
| DF-0491 |
Low |
NULL td dereference in SIOCSIFDSTADDR and default ioctl handlers despite documented td might be NULL contract
sys/netinet/in.c:606 |
β |
| DF-0493 |
Low |
KASSERT-only bounds check on nack before xwin[] indexing: no runtime protection in production kernels
sys/netgraph/l2tp/ng_l2tp.c:1141 |
β |
| DF-0496 |
Low |
rn_walktree_from dereferences caller-supplied mask without NULL check
sys/net/radix.c:1098 |
β |
| DF-0498 |
Low |
SIOC_L2CAP_L2CA_GET_INFO: unvalidated info_size causes oversized kmalloc + feature non-functional
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:1061 |
β |
| DF-0499 |
Low |
Unprivileged info disclosure: read-only L2CAP node ioctls (GET_CON_LIST, GET_CHAN_LIST) lack privilege check
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:850 |
β |
| DF-0501 |
Low |
netgraph message leak on ioctl timeout-vs-response race
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:910 |
β |
| DF-0504 |
Low |
ng_fec_choose_port dereferences ether/ip/ip6 headers with no mbuf length validation
sys/netgraph7/ng_fec.c:1018 |
β |
| DF-0505 |
Low |
ng_fec_input defined 2 params but assigned to 4-param if_input slot: calling-convention UB
sys/netgraph7/ng_fec.c:862 |
β |
| DF-0506 |
Low |
ng_fec_ether_cmdmulti iterates if_multiaddrs lockless + leaks membership on partial kmalloc failure
sys/netgraph7/ng_fec.c:542 |
β |
| DF-0511 |
Low |
UAF/stale-socket race in deferred upcall ng_ksocket_incoming2: queued so pointer may be freed by shutdown
sys/netgraph7/ksocket/ng_ksocket.c:985 |
β |
| DF-0512 |
Low |
Unbounded sockaddr stored into fixed-size struct sockaddr in accept response: type confusion latent
sys/netgraph7/ksocket/ng_ksocket.c:1250 |
β |
| DF-0514 |
Low |
REJECT_RST copies full 20-byte tcphdr after PULLUP_TO guaranteed only 14: stale mbuf buffer leak in RST
sys/net/ip6fw/ip6_fw.c:629 |
β |
| DF-0515 |
Low |
add_entry6 null-terminates fw_in_if.name but not fw_out_if.name: kfnmatch bounded over-read
sys/net/ip6fw/ip6_fw.c:851 |
β |
| DF-0516 |
Low |
ip6opts_match bails to opts_check on short first mbuf: IPv6 option matching silently skipped -> firewall bypass
sys/net/ip6fw/ip6_fw.c:256 |
β |
| DF-0519 |
Low |
ICMP PMTUD accepts attacker-controlled nextmtu: PMTU poisoning via unauthenticated frag-needed
sys/netinet/ip_icmp.c:282 |
β |
| DF-0520 |
Low |
icmp_reflect reflects source-route/RR/TS IP options into echo reply: info leak + source-route revival
sys/netinet/ip_icmp.c:1025 |
β |
| DF-0523 |
Low |
Deferred INTERNAL_UPCALL re-invokes upcall against torn-down node/socket: UAF/NULL deref (DF-0511 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:623 |
β |
| DF-0530 |
Low |
ng_fec_free_unit increments usage counter instead of decrementing + global bitmap mutated without locks
sys/netgraph/fec/ng_fec.c:290 |
β |
| DF-0532 |
Low |
bt3c_download_firmware: unvalidated block_size causes heap OOB read of msg->data
sys/netgraph7/bluetooth/drivers/bt3c/ng_bt3c_pccard.c:1121 |
β |
| DF-0537 |
Low |
TOCTOU race on priv->datasock in ng_connect_data: check unlocked, set under lock
sys/netgraph7/socket/ng_socket.c:790 |
β |
| DF-0541 |
Low |
Uninitialized cp.data[0] in Command Reject MTU_EXCEEDED sets link MTU to stack garbage
sys/netbt/l2cap_signal.c:91 |
β |
| DF-0544 |
Low |
hardware_error and data_buffer_overflow: missing NG_HCI_M_PULLUP + length check on 1-byte body
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:826 |
β |
| DF-0545 |
Low |
Buffer accounting u_int16_t wrap in num_compl_pkts via attacker-controlled compl_pkt: throughput DoS
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:905 |
β |
| DF-0548 |
Low |
bitmap[0]=~3 marks non-existent objects free when pool has <32 objects
sys/net/netmap/netmap_mem2.c:677 |
β |
| DF-0549 |
Low |
netmap_obj_offset returns 0 on error indistinguishable from valid offset 0: masks failures
sys/net/netmap/netmap_mem2.c:227 |
β |
| DF-0551 |
Low |
MTU unsigned underflow when parent MTU < EVL_ENCAPLEN(4)
sys/net/vlan/if_vlan.c:727 |
β |
| DF-0552 |
Low |
VLAN tag match strips priority on input but stores full 16-bit tag: input/output asymmetry
sys/net/vlan/if_vlan.c:605 |
β |
| DF-0555 |
Low |
m_pullup is dead code: packetlen=m_len then m_len<packetlen always false, mbuf chains mis-parsed
sys/netgraph/lmi/ng_lmi.c:575 |
β |
| DF-0556 |
Low |
DLCI array index without local bounds check in nglmi_rcvdata: latent heap OOB write
sys/netgraph/lmi/ng_lmi.c:692 |
β |
| DF-0557 |
Low |
Callout UAF race on hook disconnect/node shutdown: callout_stop doesnt drain ticker
sys/netgraph/lmi/ng_lmi.c:1062 |
β |
| DF-0563 |
Low |
Dead m_pullup: packetlen=m_len makes check tautologically false β ng7 twin of DF-0555
sys/netgraph7/lmi/ng_lmi.c:569 |
β |
| DF-0564 |
Low |
DLCI array access lacks local bounds check β ng7 twin of DF-0556
sys/netgraph7/lmi/ng_lmi.c:690 |
β |
| DF-0567 |
Low |
Memory leak of in-progress reassembly mbuf when new ACL START arrives
sys/netbt/hci_link.c:471 |
β |
| DF-0574 |
Low |
Uninitialized kernel stack read as alias IPs via count mismatch in copyin
sys/net/ipfw3_nat/ip_fw3_nat.c:756 |
β |
| DF-0576 |
Low |
Callout handlers dereference sc_ttyp before NULL check/token: callout-vs-close race panic
sys/net/sl/if_sl.c:1012 |
β |
| DF-0577 |
Low |
Integer overflow in SLIOCSKEEPAL/SLIOCSOUTFILL interval computation: tight callout loop DoS
sys/net/sl/if_sl.c:398 |
β |
| DF-0578 |
Low |
SLIOCSUNIT struct-assigns embedded callout nodes: callout queue corruption
sys/net/sl/if_sl.c:365 |
β |
| DF-0582 |
Low |
ieee80211_parse_beacon FHPARMS/DSPARMS field reads exceed declared IE length: OOB read
sys/netproto/802_11/wlan/ieee80211_input.c:571 |
β |
| DF-0583 |
Low |
ieee80211_parse_ath heap over-read via short Atheros vendor IE
sys/netproto/802_11/wlan/ieee80211_superg.c:198 |
β |
| DF-0587 |
Low |
NULL vap deref in scan_curchan_task: scan state not re-validated after dropping IEEE80211_LOCK across ic_set_channel
sys/netproto/802_11/wlan/ieee80211_scan_sw.c:741 |
β |
| DF-0591 |
Low |
Legacy netgraph/ng_bridge leaks mbuf+meta when the bridge has exactly one link (numLinks==1 fan-out loop never runs)
sys/netgraph/bridge/ng_bridge.c:663 |
β |
| DF-0592 |
Low |
Uninitialized kernel stack leaked to userspace via fairq_getqstats copyout of struct fairq_classstats
sys/net/altq/altq_fairq.c:282 |
β |
| DF-0002 |
Info |
sys_fhopen returns spurious success (fd 0) on VREG-without-VM-object invariant violation
sys/kern/vfs_syscalls.c:4933 |
β |
| DF-0004 |
Info |
devaddq error path leaks data buffer due to wrong variable checked (loc instead of data)
sys/kern/subr_bus.c:615 |
β |
| DF-0007 |
Info |
Uninitialized struct sigaction trailing padding leaked to userspace via oact copyout
sys/kern/kern_sig.c:260 |
β |
| DF-0012 |
Info |
vop_nremove quota-accounting glue: latent NULL-deref on nc_vp, nlink TOCTOU, wrong mount for PFS overlays
sys/kern/vfs_vopops.c:1660 |
β |
| DF-0023 |
Info |
Missing return after EINVAL in sys_read/sys_write/sys_extpwrite bypasses nbyte>SSIZE_MAX guard
sys/kern/sys_generic.c:130 |
β |
| DF-0036 |
Info |
%n format specifier enabled in kernel printf engine with zero in-tree consumers
sys/kern/subr_prf.c:688 |
β |
| DF-0037 |
Info |
sys_getpgid / sys_getsid lack cross-session visibility checks (unprivileged pgid/sid enumeration)
sys/kern/kern_prot.c:106 |
β |
| DF-0043 |
Info |
SYSCTL_INT declared for long counters (auxrecovervnodes1/2) - type/size mismatch
sys/kern/vfs_lock.c:109 |
β |
| DF-0048 |
Info |
CALLOUT_PREVENTED set on wrong structure (verifier/cc) vs read from backend _callout -> wrong callout_stop/cancel/drain return
sys/kern/kern_timeout.c:600 |
β |
| DF-0049 |
Info |
IPI ring/serial indices are signed int, incremented without wraparound handling (overflow after ~2^31 messages)
sys/kern/lwkt_ipiq.c:218 |
β |
| DF-0051 |
Info |
msgsnd lacks explicit MSGMAX upper-bound check; msg_ts (u_short) silently truncates when MSGMNB compiled > 65535 (latent panic)
sys/kern/sysv_msg.c:50 |
β |
| DF-0064 |
Info |
Unsynchronized data race on desc->total_objects (statistics-only, no security impact)
sys/kern/kern_objcache.c:357 |
β |
| DF-0065 |
Info |
OOB read of thread struct before panic in lwkt_reltoken assertion path (console-only, no userspace leak)
sys/kern/lwkt_token.c:841 |
β |
| DF-0066 |
Info |
Undefined behavior: shift by sysctl-controlled token_window_shift in backoff spin
sys/kern/lwkt_token.c:398 |
β |
| DF-0068 |
Info |
IBAA-only RNG mode (rand_mode==1) has no seeding-readiness gate before first output
sys/kern/kern_nrandom.c:700 |
β |
| DF-0069 |
Info |
Signed integer overflow (C UB) in lock range end calculation (caught by guard, no corruption reachable)
sys/kern/kern_lockf.c:227 |
β |
| DF-0073 |
Info |
Pointless cfi++ causes 1-element OOB read in DEBUG builds (elf_getfiles)
sys/kern/kern_checkpoint.c:667 |
β |
| DF-0078 |
Info |
pps_shift/pps_shiftmax sysctl lack range validation allowing UB shift counts in hardpps (root self-DoS)
sys/kern/kern_ntptime.c:265 |
β |
| DF-0082 |
Info |
Latent heap overflow in sbuf_extend via int truncation of caller length (zero callers, unreachable today)
sys/kern/subr_sbuf.c:150 |
β |
| DF-0086 |
Info |
dev_dopen dereferences inner *a_fpp without NULL check (latent panic, no current trigger)
sys/kern/kern_device.c:151 |
β |
| DF-0087 |
Info |
Signed integer overflow (C UB) in new_unrhdr last computation when high=INT_MAX
sys/kern/subr_unit.c:257 |
β |
| DF-0091 |
Info |
Lock-order inversion between sysctl_rman and rman_fini creates ABBA deadlock potential (rman_fini dead code)
sys/kern/subr_rman.c:155 |
β |
| DF-0092 |
Info |
sysctl_rman leaks 4 bytes uninitialized kernel stack via struct u_resource trailing padding
sys/kern/subr_rman.c:700 |
β |
| DF-0094 |
Info |
shmrealloc initializes OLD shmsegs[] instead of newsegs[] - heap OOB write + uninit new array (dead code)
sys/kern/sysv_shm.c:683 |
β |
| DF-0098 |
Info |
sglist_consume_uio loop does not check uio_iovcnt before reading uio_iov (defense-in-depth, dead code)
sys/kern/subr_sglist.c:402 |
β |
| DF-0100 |
Info |
Missing NULL check on vfsconf_find_by_name("devfs") before dereference in vfs_mountroot_devfs
sys/kern/vfs_conf.c:300 |
β |
| DF-0104 |
Info |
Boot-time ktr_buf/ktr_entries_mask publication relies on TSO (no explicit read-side barrier, x86-only safe)
sys/kern/kern_ktr.c:231 |
β |
| DF-0109 |
Info |
l32_fixlabel partition loop lacks internal d_npartitions cap
sys/kern/subr_disklabel32.c:592 |
β |
| DF-0112 |
Info |
__sccl scanset range-fill writes tab[256] when range endpoint is 0xFF
sys/kern/subr_scanf.c:605 |
β |
| DF-0114 |
Info |
PT_IO trusts user piod_len without bounds check; narrows size_t into ssize_t uio_resid
sys/kern/sys_process.c:429 |
β |
| DF-0115 |
Info |
sys_ptrace discards copyout error returning PT_IO descriptor
sys/kern/sys_process.c:112 |
β |
| DF-0116 |
Info |
copyin/copyout/uiomove_nofault clear TDF_NOFAULT unconditionally instead of save/restore
sys/kern/kern_subr.c:60 |
β |
| DF-0119 |
Info |
Latent OOB write if aux_data/aux_size invariant breaks
sys/kern/subr_diskiocom.c:207 |
β |
| DF-0121 |
Info |
Signed/unsigned confusion defeats length clamp in KENV_GET
sys/kern/kern_environment.c:141 |
β |
| DF-0122 |
Info |
kgetenv_quad signed-shift overflow on magnitude-suffixed values
sys/kern/kern_environment.c:436 |
β |
| DF-0123 |
Info |
kernenv_next unbounded walk of bootloader static env
sys/kern/kern_environment.c:510 |
β |
| DF-0126 |
Info |
TIOCCONS privilege check skipped when a_cred is NULL
sys/kern/tty_cons.c:486 |
β |
| DF-0127 |
Info |
cndbctl uses unlocked static refcount
sys/kern/tty_cons.c:570 |
β |
| DF-0131 |
Info |
fp_mmap size arithmetic can wrap past SSIZE_MAX after signedness check
sys/kern/kern_fp.c:409 |
β |
| DF-0153 |
Info |
EXCLWAIT bitfield can overflow into SPINLOCK_SHARED bit; no bounds guard
sys/kern/kern_spinlock.c:206 |
β |
| DF-0154 |
Info |
KKASSERT-only invariants vanish on production kernels (UAF/queue-corruption risk)
sys/kern/kern_systimer.c:148 |
β |
| DF-0155 |
Info |
Division by unvalidated freq<=0 -> kernel divide-by-zero panic
sys/kern/kern_systimer.c:269 |
β |
| DF-0159 |
Info |
xio_init_pages accepts negative npages; only upper bound asserted
sys/kern/kern_xio.c:142 |
β |
| DF-0160 |
Info |
xio_init_kbuf silently truncates when kbytes exceeds XIO_INTERNAL_SIZE
sys/kern/kern_xio.c:113 |
β |
| DF-0164 |
Info |
sys_modstat copyout non-NUL-terminated module name when name>=MAXMODNAME
sys/kern/kern_module.c:348 |
β |
| DF-0168 |
Info |
Lazy objcache creation in sysref_alloc is racy (no lock on srclass->oc init)
sys/kern/kern_sysref.c:142 |
β |
| DF-0169 |
Info |
sysref_get has no refcount overflow guard
sys/kern/kern_sysref.c:66 |
β |
| DF-0171 |
Info |
Ignored copyout return in sys_sched_getparam
sys/kern/kern_p1003_1b.c:245 |
β |
| DF-0172 |
Info |
mpipe_free reads/writes mpipe->pending outside the lwkt_token
sys/kern/kern_mpipe.c:344 |
β |
| DF-0175 |
Info |
Integer overflow in NPROC macro via unbounded kern.maxusers
sys/kern/subr_param.c:56 |
β |
| DF-0180 |
Info |
Fragile zeroing contract for fill_kinfo_lwp aggregation (+=)
sys/kern/kern_kinfo.c:219 |
β |
| DF-0184 |
Info |
Lockless read of exec_res_id counter mutated under list lock
sys/kern/imgact_resident.c:138 |
β |
| DF-0188 |
Info |
No defense-in-depth privilege check; acl_cnt not bounds-validated pre-VOP
sys/kern/kern_acl.c:74 |
β |
| DF-0192 |
Info |
Concurrent writer/reader cursor updates on msg_bufl unsynchronized
sys/kern/subr_log.c:153 |
β |
| DF-0194 |
Info |
vfs_mount caches mnt_cred with unlocked check-then-set
sys/kern/vfs_vfsops.c:89 |
β |
| DF-0197 |
Info |
sysctl_devstat copies full struct devstat including unset fields and padding
sys/kern/subr_devstat.c:289 |
β |
| DF-0201 |
Info |
dhp computed from raw tv_sec instead of UTC-adjusted t1
sys/kern/subr_fattime.c:150 |
β |
| DF-0205 |
Info |
Timeout conversion uses 32-bit int arithmetic that can overflow
sys/kern/kern_umtx.c:188 |
β |
| DF-0206 |
Info |
Dead code: offset computed and never used in both syscalls
sys/kern/kern_umtx.c:114 |
β |
| DF-0210 |
Info |
clist_catq infinite loop on aliasing (cls==cld)
sys/kern/tty_subr.c:294 |
β |
| DF-0211 |
Info |
No negative-size guard on ccmax in clist_alloc_cblocks
sys/kern/tty_subr.c:61 |
β |
| DF-0213 |
Info |
last_td tracking field uses non-atomic plain load/store racy on SMP
sys/kern/lwkt_serialize.c:112 |
β |
| DF-0214 |
Info |
handler_disable discards in-flight indicator from atomic_intr_handler_disable
sys/kern/lwkt_serialize.c:149 |
β |
| DF-0215 |
Info |
Wait-counter inc/dec can overflow into control bits (theoretical)
sys/kern/lwkt_serialize.c:271 |
β |
| DF-0218 |
Info |
kcollect_setvalue divides by kcollect_samples without guard
sys/kern/kern_collect.c:128 |
β |
| DF-0219 |
Info |
kcollect_setscale/setvalue mutate shared state without kcollect_lock
sys/kern/kern_collect.c:124 |
β |
| DF-0222 |
Info |
csprng_get_random byte count signed int: huge u_int requests silently truncate to 0
sys/kern/subr_csprng.c:127 |
β |
| DF-0225 |
Info |
Implicit undocumented locking contract on lwp_rtprio writes
sys/kern/kern_sched.c:175 |
β |
| DF-0230 |
Info |
table_blocks computed before entries/entsz validation (fragile ordering)
sys/kern/subr_diskgpt.c:131 |
β |
| DF-0231 |
Info |
Buffer-size safety depends solely on KKASSERT debug assertions
sys/kern/subr_diskgpt.c:93 |
β |
| DF-0242 |
Info |
TOCTOU: td_proc NULL check without holding kpsus_token
sys/kern/kern_kthread.c:190 |
β |
| DF-0244 |
Info |
ldisc_deregister missing lower-bound check: negative index OOB write into linesw[]
sys/kern/tty_conf.c:122 |
β |
| DF-0247 |
Info |
cpuid bounds check is KASSERT-only β compiled out in production kernels
sys/kern/subr_cpuhelper.c:45 |
β |
| DF-0250 |
Info |
Dead page-alignment computation: iolen computed but never applied
sys/kern/kern_physio.c:88 |
β |
| DF-0251 |
Info |
PC_TO_INDEX u_quad_t overflow on 64-bit (correctness only, bounds check prevents OOB)
sys/kern/subr_prof.c:86 |
β |
| DF-0252 |
Info |
Theoretical cross-field torn-read between sys_profil multi-field update and addupc
sys/kern/subr_prof.c:68 |
β |
| DF-0255 |
Info |
Non-atomic RMW on global synth_synced counter (race)
sys/kern/vfs_synth.c:49 |
β |
| DF-0299 |
Info |
ng_bypass rewrites peer back-pointers without topology lock
sys/netgraph7/netgraph/ng_base.c:1207 |
β |
| DF-0300 |
Info |
ng_decodeidname truncates u_long to ng_ID_t without range check
sys/netgraph7/netgraph/ng_base.c:919 |
β |
| DF-0313 |
Info |
Sticky Hop-by-Hop/Destination options un-settable: hardcoded priv=0 always returns EPERM for root
sys/netinet6/ip6_output.c:2019 |
β |
| DF-0314 |
Info |
Inconsistent privilege enforcement: RFC3542 GET path lacks priv check present in RFC2292 path
sys/netinet6/ip6_output.c:1942 |
β |
| DF-0318 |
Info |
Inconsistent atomic vs non-atomic access to wg_packet::p_state
sys/net/wg/if_wg.c:508 |
β |
| DF-0319 |
Info |
Lockless torn reads of multi-word struct wg_endpoint in fast paths
sys/net/wg/if_wg.c:746 |
β |
| DF-0324 |
Info |
HT cap/info IE parsers perform no own length validation (caller-trust fragile)
sys/netproto/802_11/wlan/ieee80211_ht.c:1418 |
β |
| DF-0332 |
Info |
Statistics counters read without lock: torn 64-bit reads
sys/netgraph7/ppp/ng_ppp.c:647 |
β |
| DF-0335 |
Info |
in_pcbportrange can invert hi<lo causing u_short underflow and out-of-range port binds
sys/netinet/in_pcb.c:2533 |
β |
| DF-0339 |
Info |
tcp_new_isn last_offset signed int overflow-wrap on churn (UB / monotonicity erosion)
sys/netinet/tcp_subr.c:1670 |
β |
| DF-0342 |
Info |
in6_update_ifa inconsistent error handling on multicast group joins
sys/netinet6/in6.c:1144 |
β |
| DF-0343 |
Info |
IPv6 address configured while interface is down bypasses Duplicate Address Detection entirely
sys/netinet6/in6.c:1070 |
β |
| DF-0345 |
Info |
IP header checksum left stale after kernel records RR/TS options on locally-delivered packets
sys/netinet/ip_input.c:1702 |
β |
| DF-0348 |
Info |
Missing m_pullup for management frames: no guarantee frame header contiguous
sys/netproto/802_11/wlan/ieee80211_hostap.c:594 |
β |
| DF-0357 |
Info |
nd6_cache_lladdr ignores lladdrlen parameter, uses ifp->if_addrlen for bcopy
sys/netinet6/nd6.c:1768 |
β |
| DF-0364 |
Info |
ieee80211_fix_rate and findrix iterate rs_rates without validating rs_nrates <= IEEE80211_RATE_MAXSIZE: missing defense-in-depth
sys/netproto/802_11/wlan/ieee80211_proto.c:623 |
β |
| DF-0368 |
Info |
lagg_clone_create error path calls if_free on embedded ifnet: latent double-free if protocol attach ever fails
sys/net/lagg/if_lagg.c:304 |
β |
| DF-0369 |
Info |
lagg_port_ioctl fallback forwards ioctl to driver but always returns EINVAL discarding result
sys/net/lagg/if_lagg.c:896 |
β |
| DF-0372 |
Info |
Undefined behavior shift 1 << if_dunit for member NIC unit numbers >= 32
sys/net/lagg/ieee8023ad_lacp.c:310 |
β |
| DF-0377 |
Info |
config_red error path kfrees struct that may be embedded member of dn_pipe: latent UAF/invalid-free
sys/net/dummynet/ip_dummynet.c:1359 |
β |
| DF-0378 |
Info |
SET_TICKS computes len*8*dn_hz in int: overflow for jumbo packets at high dn_hz -> shaper bypass
sys/net/dummynet/ip_dummynet.c:431 |
β |
| DF-0384 |
Info |
delete_pipe uses DN_NR_HASH_MAX(16) instead of DN_PIPE_NR_MAX(65536): pipes 17-65536 undeletable β same as v1
sys/net/dummynet3/ip_dummynet3.c:1645 |
β |
| DF-0385 |
Info |
config_red kfrees caller-owned possibly-embedded struct on red_lookup_depth==0 path: latent UAF β same as v1
sys/net/dummynet3/ip_dummynet3.c:1364 |
β |
| DF-0398 |
Info |
rt_setshims leaks previously allocated shims on partial allocation failure
sys/net/route.c:1374 |
β |
| DF-0405 |
Info |
Missing null-termination of bdg_basename when namelen==IFNAMSIZ: OOB read in debug format strings
sys/net/netmap/netmap_vale.c:331 |
β |
| DF-0408 |
Info |
ip_optcopy validates IP-option lengths only with KASSERT (no-op on production): latent OOB read
sys/netinet/ip_output.c:1018 |
β |
| DF-0409 |
Info |
Unprivileged users can install IP source-route options (LSRR/SSRR) without privilege check
sys/netinet/ip_output.c:1097 |
β |
| DF-0413 |
Info |
Primitive parse functions write to output buffer without checking *buflen: missing defense-in-depth bounds check
sys/netgraph7/netgraph/ng_parse.c:332 |
β |
| DF-0416 |
Info |
TCP_MAXSEG minmss floor can raise t_maxseg above current negotiated value on small-MTU paths
sys/netinet/tcp_usrreq.c:1613 |
β |
| DF-0427 |
Info |
ip6_mrouter_set performs no explicit capability check: relies entirely on raw-socket attach privilege
sys/netinet6/ip6_mroute.c:265 |
β |
| DF-0440 |
Info |
red_pkttime computed as int64 then stored into int: truncation/overflow for jumbo MTU or low m2
sys/net/altq/altq_hfsc.c:451 |
β |
| DF-0444 |
Info |
rmc_newclass does not reject negative priority: only checks upper bound, latent negative array index
sys/net/altq/altq_rmclass.c:201 |
β |
| DF-0447 |
Info |
AF_ARP output case is dead code carrying latent uninitialized-read/OOB-read: mtod returns ether_header not arphdr after M_PREPEND
sys/net/if_ethersubr.c:237 |
β |
| DF-0448 |
Info |
Safety-critical checks rely on KASSERT/KKASSERT which are no-ops on production kernels without INVARIANTS
sys/net/if_ethersubr.c:993 |
β |
| DF-0452 |
Info |
Octal/hex escape loops in ng_get_string_token: counter k never incremented, consumes all consecutive digits
sys/netgraph/netgraph/ng_parse.c:1599 |
β |
| DF-0459 |
Info |
user_frac sysctl accepts any uint32 without range validation (documented 0-100)
sys/net/if_poll.c:1116 |
β |
| DF-0460 |
Info |
status_frac / tx_frac sysctls have no upper bound: signed int overflow in ifpoll_compat_setup
sys/net/if_poll.c:1497 |
β |
| DF-0461 |
Info |
Potential signed integer overflow in kern_load burst-adaptation math
sys/net/if_poll.c:1019 |
β |
| DF-0463 |
Info |
Lockless write to seq->inproc in M_PREPEND failure path: data race
sys/netgraph7/l2tp/ng_l2tp.c:957 |
β |
| DF-0464 |
Info |
bzero (not explicit_bzero) used to clear sensitive key material in heap structs: DSE risk
sys/net/wg/wg_noise.c:411 |
β |
| DF-0466 |
Info |
Potentially unaligned 64-bit write constructing transport AEAD nonce
sys/net/wg/wg_noise.c:996 |
β |
| DF-0467 |
Info |
Dead code in ip6_savecontrol: RTHDRDSTOPTS walk result discarded, RFC3542 semantics not implemented
sys/netinet6/ip6_input.c:1173 |
β |
| DF-0470 |
Info |
Disabling ip6_hdrnestlimit sysctl (=0) removes only ext-header depth bound: no hard floor
sys/netinet6/ip6_input.c:693 |
β |
| DF-0483 |
Info |
No validation of attacker-supplied STP timer values from winning root bridge BPDU
sys/net/bridge/bridgestp.c:393 |
β |
| DF-0488 |
Info |
Hash secret only 32-bit + sc_flags 8-bit near exhaustion: hardening gaps
sys/netinet/tcp_syncache.c:118 |
β |
| DF-0500 |
Info |
Response handlers trust count/size fields without checking pcb->msg arglen: defense-in-depth gap
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:917 |
β |
| DF-0507 |
Info |
IPv6 port-selection hash XORs destination with itself: always zero, no load balancing
sys/netgraph7/ng_fec.c:1056 |
β |
| DF-0517 |
Info |
IPV6_FW_GET leaks one unused mbuf per call + walks chain without lock
sys/net/ip6fw/ip6_fw.c:1101 |
β |
| DF-0531 |
Info |
NGM_FEC_SET_MODE_INET6 sets mode unhandled by output path: all packets silently dropped
sys/netgraph/fec/ng_fec.c:1180 |
β |
| DF-0538 |
Info |
Type-confused stack buffer: char *addrbuf[NG_HOOKSIZ+4] is pointer array not byte array
sys/netgraph7/socket/ng_socket.c:981 |
β |
| DF-0539 |
Info |
ieee80211_node_dectestref implements non-atomic decrement-and-test: latent UAF trap
sys/netproto/802_11/wlan/ieee80211_dragonfly.c:497 |
β |
| DF-0550 |
Info |
Ring-size computation uses 32-bit multiply without overflow check: latent heap overflow
sys/net/netmap/netmap_mem2.c:927 |
β |
| DF-0553 |
Info |
SIOCSETVLAN accepts reserved VLAN IDs (0 and 0xFFF) without validation
sys/net/vlan/if_vlan.c:996 |
β |
| DF-0561 |
Info |
hci_event ignores hci_event_hdr_t.length: per-spec bound for all variable-length events dropped (root cause)
sys/netbt/hci_event.c:163 |
β |
| DF-0568 |
Info |
ACL/SCO packet type and length validation only compiled under #ifdef DIAGNOSTIC
sys/netbt/hci_link.c:431 |
β |
| DF-0575 |
Info |
Wrong timeout variable for inbound TCP/UDP state cleanup: 6x/3x premature expiry
sys/net/ipfw3_nat/ip_fw3_nat.c:971 |
β |
| DF-0579 |
Info |
Unbounded mbuf-to-stack copy in slstart BPF path: latent stack overflow
sys/net/sl/if_sl.c:536 |
β |
| DF-0584 |
Info |
ieee80211_ff_decap skips framelen validation: truncated frame delivery
sys/netproto/802_11/wlan/ieee80211_superg.c:309 |
β |
| DF-0593 |
Info |
Latent UAF: fairq_class_destroy does not clear dangling pif_default pointer (currently unreachable via pf ioctls)
sys/net/altq/altq_fairq.c:428 |
β |
| DF-0595 |
Info |
Michael MIC verification uses non-constant-time memcmp (defense-in-depth)
sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:359 |
β |