DragonFlyBSD Kernel Audit
← dashboard
DF-0123

kernenv_next unbounded walk of bootloader static env

Summary

kernenv_next(:510-521) scans byte-by-byte for double-NUL with no length bound. Malformed boot env missing terminator reads adjacent kernel memory. Requires compromised loader or memory corruption at boot. Combined with unpriv sysctl read -> kernel memory disclosure.