β¬’ DragonFlyBSD Kernel Audit

Audit Dashboard

DragonFlyBSD Kernel Audit β€” adversarial file-by-file kernel review of sys/. 586 findings across 2809 tracked files. 37 PoCs verified (22 reproduced).

1
Critical

Findings by severity

Critical
1
High
52
Medium
114
Low
282
Info
137
Total valid: 586

Audit progress by area

286/2809 files reviewed (10.2%)
kern
174/174
net
112/309
vfs
0/175
vm
0/22
crypto
0/27
hw
0/250
dev
0/1407
libs
0/81
contrib
0/364

All findings

Confirmed β€” reproduced 22

These findings have a working proof-of-concept that reproduced the bug on a live DragonFlyBSD kernel guest (kernel panic, memory corruption, privilege gain, or an observable leak). This is the highest-confidence tier β€” the vulnerability is confirmed real.

IDSevTitlePoC
DF-0017 High Unbounded recursion in kdmsg_simulate_failure overflows the kernel thread stack (remote DoS)
sys/kern/kern_dmsg.c:1321
reproduced
DF-0053 High Heap buffer overflow in sysctl_jail_list (kern.jail.list) via unsigned underflow in size arithmetic
sys/kern/kern_jail.c:671
reproduced
DF-0074 High DIOCGSLICEINFO heap buffer overflow via crafted GPT disk image (dss_nslices > MAX_SLICES)
sys/kern/subr_diskslice.c:556
reproduced
DF-0165 High caps_priv_check corrupts cap argument before prison_priv_check: bypasses per-cap jail policy (raw sockets + mounts in jail)
sys/kern/kern_caps.c:333
reproduced
DF-0265 High Missing distance bounds validation in inflate: heap OOB read when windowBits<15
sys/net/zlib.c:4824
reproduced
DF-0272 High Missing ifnet_unlock on error paths in SIOCAIFGROUP/SIOCDIFGROUP/SIOCGIFGROUP/SIOCSIFDESCR: permanent ifnet_mtx deadlock
sys/net/if.c:2389
reproduced
DF-0003 Medium Negative unit number in devclass_alloc_unit causes heap OOB write via dc->devices[]
sys/kern/subr_bus.c:1064
reproduced
DF-0032 Medium fdcopy() failure in fork1() permanently leaks the child proc, nprocs, and the per-uid proc-count (system-wide fork DoS)
sys/kern/kern_fork.c:491
reproduced
DF-0033 Medium Unsynchronized fdtol->fdl_refcount ++ / list splice in rfork fdshare path (UAF via refcount race)
sys/kern/kern_fork.c:568
reproduced
DF-0035 Medium Integer underflow in sysctl_kern_msgbuf causes kernel heap OOB read via copyout
sys/kern/subr_prf.c:1177
reproduced
DF-0055 Medium Use-after-free of shared udev event dictionary in udev_event_externalize (multi-reader)
sys/kern/kern_udev.c:540
reproduced
DF-0070 Medium Heap OOB read in elf_getnote: untrusted n_namesz advances offset past note buffer with no bounds check
sys/kern/kern_checkpoint.c:313
reproduced
DF-0079 Medium Unprivileged local DoS via u_int truncation of iov_len in /dev/null and /dev/zero write (infinite kernel loop)
sys/kern/kern_memio.c:292
reproduced
DF-0107 Medium dkcksum32 OOB read via DIOCSDINFO ioctl with crafted d_npartitions
sys/kern/subr_disklabel32.c:264
reproduced
DF-0001 Low Reachable KASSERT panic in kern_truncate()/kern_ftruncate() when VOP_GETATTR fails under quotas
sys/kern/vfs_syscalls.c:4036
reproduced
DF-0005 Low TIOCSTI unrestricted terminal input injection with no killswitch
sys/kern/tty.c:1158
reproduced
DF-0006 Low kern.ttys sysctl leaks kernel function/heap pointers to unprivileged users
sys/kern/tty.c:2891
reproduced
DF-0009 Low VFS_CONF (vfs.generic) sysctl leaks kernel pointers (vfc_vfsops, vfc_next) to unprivileged users
sys/kern/vfs_subr.c:1839
reproduced
DF-0010 Low Uninitialized struct cmsgcred leaks kernel stack via synthesized SCM_CREDS (SO_PASSCRED)
sys/kern/uipc_usrreq.c:683
reproduced
DF-0011 Low Missing NULL check on sbcreatecontrol() in SO_PASSCRED path -> kernel NULL-deref panic
sys/kern/uipc_usrreq.c:694
reproduced
DF-0015 Low Missing visibility/privilege check in kern.proc.pathname -> exe-path disclosure of arbitrary processes
sys/kern/kern_proc.c:2080
reproduced
DF-0016 Low kinfo_proc (kern.proc.*) exports unredacted kernel pointers (KASLR defeat)
sys/kern/kern_proc.c:1603
reproduced

Tested β€” not reproduced 15

These findings were tested with a proof-of-concept but the claimed impact did not manifest. Each finding’s verdict explains whether it is a false positive, already fixed on this kernel, unreachable, or the test was inconclusive.

IDSevTitlePoC
DF-0393 Critical Remote heap buffer overflow via oversized Mesh ID IE in sta_add: memcpy 2+meshid[1] into se_meshid[34] with no bounds check
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:310
inconclusive
DF-0117 High UAF on kdmsg state in diskiodone: state refcount not held across async I/O
sys/kern/subr_diskiocom.c:372
not_reproduced
DF-0220 High Predictable RNG: /dev/urandom+getrandom+kern.random return deterministic ChaCha20 keystream (zero key) before first reseed
sys/kern/subr_csprng.c:84
not_reproduced
DF-0243 High size_t underflow in exec_shell_imgact when argv[0] longer than interpreter+fname -> kernel panic
sys/kern/imgact_shell.c:117
not_reproduced
DF-0281 High Remote kernel panic: divide-by-zero via PN MCC command with mtu=0
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:3019
inconclusive
DF-0285 High Remote heap overflow via unchecked MESHID IE length in ieee80211_parse_meshid
sys/netproto/802_11/wlan/ieee80211_mesh.c:3456
inconclusive
DF-0291 High Heap buffer overflow in setmlme_assoc_adhoc: unbounded im_ssid_len into 32-byte buffers
sys/netproto/802_11/wlan/ieee80211_ioctl.c:1568
inconclusive
DF-0315 High UAF: wg_peer_destroy frees peer struct while data-plane paths access it without peer refcount
sys/net/wg/if_wg.c:589
not_reproduced
DF-0326 High Remote heap overflow: unbounded SSID IE length copied into fixed 32-byte ni_essid
sys/netproto/802_11/wlan/ieee80211_node.c:815
inconclusive
DF-0590 High No serialization of bridge state in legacy netgraph/ng_bridge -- UAF in rehash, OOB heap write in GET_TABLE, deterministic KASSERT panics under concurrent traffic
sys/netgraph/bridge/ng_bridge.c:297
not_reproduced
DF-0014 Medium enterpgrp() lwkt_reltoken on an un-acquired token -> race-triggered kernel panic
sys/kern/kern_proc.c:763
not_reproduced
DF-0039 Medium ptsopen check-then-use TOCTOU on dev->si_drv1 -> NULL-deref kernel panic (local DoS)
sys/kern/tty_pty.c:313
not_reproduced
DF-0044 Medium mount_get_by_nc returns struct mount without a hold -> use-after-free via cache_fullpath racing dounmount
sys/kern/vfs_mount.c:1235
not_reproduced
DF-0106 Medium dkcksum32 OOB read via crafted disklabel in writedisklabel path
sys/kern/subr_disklabel32.c:358
not_reproduced
DF-0008 Low vfs_setpublicfs() use-after-vput of root vnode + refcount leak on VFS_VPTOFH error
sys/kern/vfs_subr.c:2255
not_reproduced

Unverified 549

Findings raised by static analysis that have no PoC verification yet. The writeup describes a suspected defect and its theoretical impact; it has not been confirmed against a running kernel.

IDSevTitlePoC
DF-0141 High Missing privilege check in sys_vquotactl: any user can set/read all quotas
sys/kern/vfs_quota.c:328
β€”
DF-0142 High Sleeping allocation (M_WAITOK kmalloc) while holding ac_spin -> panic/deadlock
sys/kern/vfs_quota.c:158
β€”
DF-0195 High Unlocked devstat list: concurrent device detach vs sysctl walk yields UAF (world-readable sysctl)
sys/kern/subr_devstat.c:268
β€”
DF-0350 High Unbounded mesh route-table growth + attacker-controlled lifetime: remote memory exhaustion DoS
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1057
β€”
DF-0351 High uint32 metric accumulation overflow enables route poisoning / route hijacking
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1089
β€”
DF-0362 High pfr_fix_anchor unbounded slash-count loop causes size_t wraparound in bcopy/memset: kernel panic via DIOCRGETTABLES
sys/net/pf/pf_table.c:1740
β€”
DF-0401 High Heap buffer overflow via unchecked slot->len in VALE bridge forwarding: pkt_copy up to 65536 bytes into 2048-byte buffer
sys/net/netmap/netmap_vale.c:988
β€”
DF-0410 High Heap buffer overflow in ng_encode_string: buffer allocated by strlen(raw) but loop iterates attacker-controlled slen
sys/netgraph7/netgraph/ng_parse.c:919
β€”
DF-0414 High Unchecked ph->length in PPPoE discovery packets: remote heap OOB read via get_tag/scan_tags walk bound
sys/netgraph7/pppoe/ng_pppoe.c:1314
β€”
DF-0417 High Use-after-free race on nd_defrouter: defrtrlist_update returns unreferenced pointer consumed unlocked across RA prefix loop
sys/netinet6/nd6_rtr.c:285
β€”
DF-0428 High pfsync_input has no source/peer authentication: any on-link host can inject/modify/destroy pf state
sys/net/pf/if_pfsync.c:462
β€”
DF-0429 High Unauthenticated PFSYNC_ACT_UREQ forces victim to multicast entire pf state table: info disclosure + amplification DoS
sys/net/pf/if_pfsync.c:900
β€”
DF-0430 High Unauthenticated PFSYNC_ACT_CLR/DEL/DEL_C let attacker mass-destroy arbitrary pf state across all CPUs
sys/net/pf/if_pfsync.c:542
β€”
DF-0449 High Heap buffer overflow in ng_string_parse: missing *buflen bounds check before bcopy of user-supplied string
sys/netgraph/netgraph/ng_parse.c:704
β€”
DF-0453 High Wrong session variable in rfcomm_session_newconn: timeout armed on listener not new session β€” memory leak + listener corruption DoS
sys/netbt/rfcomm_session.c:423
β€”
DF-0457 High Unchecked ph->length in PPPoE discovery: heap OOB read via tag-walk + heap info leak via echoed Relay-Session-Id (v1 twin of DF-0414)
sys/netgraph/pppoe/ng_pppoe.c:925
β€”
DF-0471 High ip_fw3_ctl_x: size_t underflow in sopt_valsize when <4 causes unbounded bcopy heap corruption/panic
sys/net/ipfw3/ip_fw3.c:1038
β€”
DF-0472 High ip_fw3_ctl_add_rule missing cmd_len validation: heap over-read + info leak + OOB function pointer call
sys/net/ipfw3/ip_fw3.c:950
β€”
DF-0473 High ip_fw3_chk: unbounded filter_funcs[module][opcode] indexing -> OOB function pointer call on remote traffic
sys/net/ipfw3/ip_fw3.c:506
β€”
DF-0489 High Neighbor Advertisement handler leaks route refcount on every received NA: remote kernel memory exhaustion DoS
sys/netinet6/nd6_nbr.c:734
β€”
DF-0490 High Type confusion in in_lifaddr_ioctl: AF_INET6 check matches IPv6 addresses cast to in_ifaddr β€” unpriv heap OOB read/info leak via SIOCGLIFADDR
sys/netinet/in.c:908
β€”
DF-0492 High Lockless race on L2TP seq/window state: concurrent timer + remote packet processing -> UAF on xwin[] mbufs and node private data
sys/netgraph/l2tp/ng_l2tp.c:1126
β€”
DF-0494 High Remote unauthenticated kernel heap+stack memory disclosure via ARP reply using attacker-controlled ar_hln/ar_pln
sys/netinet/if_ether.c:1182
β€”
DF-0508 High L2CAP ConfigReq unknown-option echo inflates m_pkthdr.len past mbuf data -> remote kernel heap info leak
sys/netgraph7/bluetooth/l2cap/ng_l2cap_evnt.c:599
β€”
DF-0509 High Stack buffer overflow in ng_ksocket_sockaddr_unparse via negative pathlen (PF_LOCAL sun_len underflow)
sys/netgraph7/ksocket/ng_ksocket.c:323
β€”
DF-0524 High Stored raw pointer to member ifnet with no refcount: UAF when member interface destroyed
sys/netgraph/fec/ng_fec.c:408
β€”
DF-0525 High ng_fec_tick iterates port list with no list lock: UAF race vs addport/delport
sys/netgraph/fec/ng_fec.c:579
β€”
DF-0542 High inquiry_result: unbounded variable-length loop reads past mbuf end -> remote kernel panic
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:380
β€”
DF-0543 High num_compl_pkts: unbounded variable-length loop reads past mbuf end -> remote kernel panic
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:884
β€”
DF-0546 High OOB read of lut[] in netmap_mem_ofstophys: page-padding offset maps garbage physical page into userspace
sys/net/netmap/netmap_mem2.c:165
β€”
DF-0558 High hci_event_num_compl_pkts: unbounded variable-length loop NO per-iteration bounds check -> remote kernel panic
sys/netbt/hci_event.c:376
β€”
DF-0559 High hci_event_inquiry_result/rssi_result: unbounded loops guarded only by KKASSERT -> remote kernel panic on short data
sys/netbt/hci_event.c:447
β€”
DF-0569 High Heap OOB write via byte-swapped alias_port used as array index: every NAT deployment corrupts heap ~1.6% of connections
sys/net/ipfw3_nat/ip_fw3_nat.c:436
β€”
DF-0570 High Remote OOB read: inbound port/icmp_id indexed into alias arrays without bounds check
sys/net/ipfw3_nat/ip_fw3_nat.c:204
β€”
DF-0572 High Per-CPU cfg_nat pointer cached in shared firewall rule: cross-CPU RB-tree races -> corruption
sys/net/ipfw3_nat/ip_fw3_nat.c:158
β€”
DF-0580 High ieee80211_defrag UAF/dangling-pointer: DragonFly m_cat frees fragment but code reads wh + m_pkthdr.len after
sys/netproto/802_11/wlan/ieee80211_input.c:248
β€”
DF-0594 High TKIP RX length underflow on too-short frames -> OOB read and KASSERT panic in wep_decrypt/michael_mic/m_copydata
sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:266
β€”
DF-0047 Medium mtx_wait_link lock-leak race: chain can grant lock during mtx_delete_link window, caller returns error despite holding the lock (permanent deadlock)
sys/kern/kern_mutex.c:1002
β€”
DF-0056 Medium Heap overflow via unchecked p_filesz > p_memsz in PT_LOAD segment loading
sys/kern/link_elf.c:507
β€”
DF-0075 Medium DIOCGSLICEINFO leaks kernel pointers (KASLR bypass) via raw struct diskslices copyout
sys/kern/subr_diskslice.c:556
β€”
DF-0083 Medium OOB write into cpu_topology_nodes[MAXCPU] during boot topology construction on high-CPU-count systems
sys/kern/subr_cpu_topology.c:115
β€”
DF-0103 Medium p_tracenode/p_traceflag mutated without target p_token -> refcount double-drop/UAF and NULL-deref TOCTOU
sys/kern/kern_ktrace.c:506
β€”
DF-0134 Medium Missing structural validation in l64_readdisklabel: crafted partition fields accepted without bounds checks
sys/kern/subr_disklabel64.c:176
β€”
DF-0136 Medium Jail isolation breach: varsym_list(VARSYM_SYS) leaks host varsyms to jailed processes
sys/kern/kern_varsym.c:263
β€”
DF-0137 Medium Unlocked TAILQ traversal in varsymset_init() during fork: data race/UAF
sys/kern/kern_varsym.c:519
β€”
DF-0139 Medium SLEEPQ_HASH misplaced mask causes massive OOB index into sleepq_chains array
sys/kern/subr_sleepqueue.c:82
β€”
DF-0143 Medium nlookupdata leaked on nlookup failure (missing nlookup_done)
sys/kern/vfs_quota.c:354
β€”
DF-0144 Medium copyin return value silently discarded before prop_dictionary_copyin
sys/kern/vfs_quota.c:345
β€”
DF-0145 Medium vq_done stub leaks all quota RB-trees on unmount
sys/kern/vfs_quota.c:142
β€”
DF-0149 Medium Signed-integer truncation in TLV walk size math allows backward/OOB pointer movement
sys/kern/subr_module.c:79
β€”
DF-0162 Medium Global modules TAILQ mutated without mod_token: unpriv readers race with privileged kldload/unload
sys/kern/kern_module.c:141
β€”
DF-0176 Medium cttyioctl forwards ioctls to ttyvp without vnode reference (UAF race)
sys/kern/tty_tty.c:238
β€”
DF-0181 Medium sysctl_hostname leaks XLOCK on EPERM: jailed root deadlocks host sysctl subsystem
sys/kern/kern_mib.c:217
β€”
DF-0185 Medium Uninitialized kernel stack memory leaked via acl_get_file/acl_get_fd
sys/kern/kern_acl.c:92
β€”
DF-0202 Medium Unthrottled kprintf log-flood DoS via umtx_sleep/wakeup on unmapped address
sys/kern/kern_umtx.c:150
β€”
DF-0207 Medium Memory leak in clist_alloc_cblocks: old c_data never freed on resize
sys/kern/tty_subr.c:61
β€”
DF-0234 Medium Signed-integer overflow in callout timer calc (min_period*hz/2) -> self-perpetuating CPU-burn or watchdog defeat
sys/kern/kern_wdog.c:94
β€”
DF-0236 Medium Driver callbacks (wdog_fn) invoked under global spinlock with interrupts disabled
sys/kern/kern_wdog.c:84
β€”
DF-0239 Medium Missing resume_kproc implementation: suspend permanently freezes kernel daemons
sys/kern/kern_kthread.c:216
β€”
DF-0245 Medium Per-cpu iowbytes counter underflow via thread migration accounting break
sys/kern/kern_iosched.c:79
β€”
DF-0246 Medium UAF: eventhandler dispatch traverses entry list without token while deregister frees entries
sys/kern/subr_eventhandler.c:114
β€”
DF-0266 Medium Uninitialized inflate window: kernel heap info leak via stale window data
sys/net/zlib.c:3706
β€”
DF-0269 Medium Stack buffer overflow in sppp_print_bytes: VLA sized len but hexncpy writes 3*len bytes
sys/net/sppp/if_spppsubr.c:5290
β€”
DF-0271 Medium NULL deref in bridge_input: unchecked bridge_lookup_member_if result (race with member deletion)
sys/net/bridge/if_bridge.c:2738
β€”
DF-0273 Medium Missing break between SIOCSIFDESCR and SIOCSIFFLAGS: fall-through reinterprets description length as interface flags
sys/net/if.c:2131
β€”
DF-0275 Medium Heap buffer overflow in WPA/RSN IE construction: variable-length IE written into fixed sizeof(ieee80211_ie_wpa)=100 slot
sys/netproto/802_11/wlan/ieee80211_output.c:1976
β€”
DF-0276 Medium Wrong-pointer kfree in DIOCADDADDR error path frees framework pointer instead of allocated pooladdr
sys/net/pf/pf_ioctl.c:2160
β€”
DF-0282 Medium Signed tx_cred overflow and OOB credit byte read in UIH reception
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2409
β€”
DF-0286 Medium Missing length validation in mesh action frame handler: OOB read of stale data
sys/netproto/802_11/wlan/ieee80211_mesh.c:2548
β€”
DF-0287 Medium Divide-by-zero kernel panic in mesh_airtime_calc via ni_txrate==0
sys/netproto/802_11/wlan/ieee80211_mesh.c:3366
β€”
DF-0289 Medium UAF/TOCTOU: mesh route pointers returned unreferenced, forward_to_gates drops lock mid-traversal
sys/netproto/802_11/wlan/ieee80211_mesh.c:230
β€”
DF-0296 Medium UAF/cross-node races: peer hooks/nodes dereferenced without reference or peer-token
sys/netgraph7/netgraph/ng_base.c:1092
β€”
DF-0301 Medium Missing replay protection on CARP advertisements: L2-adjacent DoS of failover
sys/netinet/ip_carp.c:1137
β€”
DF-0302 Medium Failover state machine in input path runs without synchronization: concurrent state corruption
sys/netinet/ip_carp.c:1108
β€”
DF-0303 Medium HMAC precomputed context torn-read race between config and input paths
sys/netinet/ip_carp.c:504
β€”
DF-0306 Medium UAF in add_bw_upcall: mfc pointer used after mroute_token released across blocking kmalloc
sys/net/ip_mroute/ip_mroute.c:2285
β€”
DF-0320 Medium Reorder buffer rxa_m[] mutated without dedicated lock: RX races timer flush and ADDBA re-init (double-free/UAF)
sys/netproto/802_11/wlan/ieee80211_ht.c:780
β€”
DF-0325 Medium Deadlock: callout_stop under pcb_lock while timeout callback requires pcb_lock
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap.c:2765
β€”
DF-0337 Medium tcp_pcblist sysctl raw-copies entire inpcb and tcpcb with kernel pointers to unprivileged users
sys/netinet/tcp_subr.c:1284
β€”
DF-0349 Medium Heap OOB read in PREQ processing when target count is 0: (ndest-1) wraps to SIZE_MAX
sys/netproto/802_11/wlan/ieee80211_hwmp.c:311
β€”
DF-0352 Medium RANN frame overwrites shared global ieee80211_hwmp_rannint without lock: remote timer DoS
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1971
β€”
DF-0354 Medium nd6_sysctl_prlist stack buffer over-read leaks kernel memory when router count exceeds buffer capacity
sys/netinet6/nd6.c:2238
β€”
DF-0355 Medium nd6_sysctl_drlist/prlist iterate defrouter/prefix lists without nd6_mtx: UAF race with RA processing
sys/netinet6/nd6.c:2168
β€”
DF-0365 Medium ieee80211_media_setup unbounded rate-set merge overflows stack buffer rs_rates[15]: 17 unique rates across 11a/b/g/HALF/QUARTER
sys/netproto/802_11/wlan/ieee80211.c:1564
β€”
DF-0366 Medium Lockless sc_count pre-check in lagg_start races with port destroy causing divide-by-zero panic
sys/net/lagg/if_lagg.c:1758
β€”
DF-0382 Medium config_red divides by (max_th-min_th) and max_th without zero check: kernel panic β€” same bug class as dummynet v1 unfixed
sys/net/dummynet3/ip_dummynet3.c:1351
β€”
DF-0388 Medium Kernel heap info leak via uninitialized rt_msghdr.rtm_inits in NET_RT_DUMP sysctl: no M_ZERO on buffer
sys/net/rtsock.c:1676
β€”
DF-0391 Medium pf_fragcache: m_dup NULL dereferenced before NULL check in m_adj argument: remote DoS under memory pressure with fragcrop
sys/net/pf/pf_norm.c:661
β€”
DF-0402 Medium Direct kernel dereference of user-controlled pointer in netmap_bdg_learning before copyin: panic or kernel info-leak
sys/net/netmap/netmap_vale.c:994
β€”
DF-0406 Medium in_delayed_cksum: unchecked m_pullup return leads to NULL pointer write panic
sys/netinet/ip_output.c:940
β€”
DF-0411 Medium Infinite loop in ng_parse_skip_value on unclosed quoted string inside brackets: kernel thread hang DoS
sys/netgraph7/netgraph/ng_parse.c:1651
β€”
DF-0418 Medium Unbounded default-router and prefix list growth from spoofed RAs: RA-flooding kernel memory exhaustion DoS
sys/netinet6/nd6_rtr.c:689
β€”
DF-0420 Medium Use-after-free in SCO reassembly buffer: sc_isoc_in_buffer retains dangling pointer after mbuf forwarded and realloc fails
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1103
β€”
DF-0423 Medium Stale reg_mif_num after MRT6_DEL_MIF: remote NULL-deref panic via PIM REGISTER to freed register mif
sys/netinet6/ip6_mroute.c:642
β€”
DF-0431 Medium Dead expire-scaling code: imported state expiry is always raw attacker value, enabling infinite-lifetime states
sys/net/pf/if_pfsync.c:402
β€”
DF-0436 Medium Heap OOB read + security-filter bypass via OGF=0/event=0: negative bitstr index into ng_btsocket_hci_raw_sec_filter
sys/netgraph7/bluetooth/socket/ng_btsocket_hci_raw.c:669
β€”
DF-0441 Medium Divide-by-zero kernel panic when ns_per_byte==0: CBQ class add/modify unconditionally divides by user-supplied value
sys/net/altq/altq_rmclass.c:237
β€”
DF-0445 Medium altq_etherclassify NULL-pointer dereference: mbuf chain walk advances to m_next without NULL check
sys/net/if_ethersubr.c:927
β€”
DF-0450 Medium OOB kernel heap read in ng_string_unparse via unbounded strlen on binary data without NUL terminator
sys/netgraph/netgraph/ng_parse.c:722
β€”
DF-0451 Medium OOB read in ng_fixedstring_unparse: known bufSize ignored, delegates to unbounded strlen
sys/netgraph/netgraph/ng_parse.c:785
β€”
DF-0454 Medium Uninitialized kernel stack info leak in RPN response: param_mask never initialized for 1-byte RPN command
sys/netbt/rfcomm_session.c:1227
β€”
DF-0458 Medium Heap over-read / info-leak / panic in L2CA_Ping: missing echo-data length validation
sys/netgraph7/bluetooth/l2cap/ng_l2cap_ulpi.c:1306
β€”
DF-0474 Medium Opcode iteration loop: F_LEN(cmd)==0 causes infinite loop hanging netisr thread
sys/net/ipfw3/ip_fw3.c:493
β€”
DF-0475 Medium act_ofs never validated: OOB pointer deref via ACTION_PTR during packet matching
sys/net/ipfw3/ip_fw3.c:520
β€”
DF-0476 Medium ip_fw3_register_module: strncpy bounded by strlen(src) not sizeof(dst): buffer overflow + missing NUL
sys/net/ipfw3/ip_fw3.c:180
β€”
DF-0477 Medium ip_fw3_ctl_get_modules: bcopy without checking strlen(module_str) <= sopt_valsize: buffer overflow
sys/net/ipfw3/ip_fw3.c:985
β€”
DF-0484 Medium SYN-cookie crypto state global unsynchronized across netisr CPUs: racy MD5_CTX + tcp_secret[] defeats SYN-flood mitigation
sys/netinet/tcp_syncache.c:1351
β€”
DF-0495 Medium rn_delete integer underflow: klen-head_off wraps to huge size_t when key sa_len < tree offset -> kernel panic
sys/net/radix.c:884
β€”
DF-0497 Medium TOCTOU use-after-free on rtentry in ng_btsocket_l2cap_raw_bind: releases rt_lock before storing pointer
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:690
β€”
DF-0502 Medium ng_fec_shutdown infinite loop when member interface destroyed: dangling pointer + unkillable loop
sys/netgraph7/ng_fec.c:1335
β€”
DF-0503 Medium ifnet locking-contract violation and stored-pointer UAF on member ifnets
sys/netgraph7/ng_fec.c:370
β€”
DF-0510 Medium Credential bypass via thread0 fallback in socket operations: root creds for all ksocket ops
sys/netgraph7/ksocket/ng_ksocket.c:546
β€”
DF-0513 Medium Rule-chain mutation raced with concurrent ip6_fw_chk: lock-free linked list + kfree after crit_exit -> UAF on SMP
sys/net/ip6fw/ip6_fw.c:856
β€”
DF-0518 Medium ICMP error generation (icmp_error) not rate-limited: reflection/amplification DoS
sys/netinet/ip_icmp.c:144
β€”
DF-0521 Medium PF_LOCAL sockaddr unparse: sun_len<pathoff underflow -> giant bcopy -> stack OOB write (DF-0509 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:321
β€”
DF-0522 Medium thread0 root-credential fallback for socket operations (DF-0510 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:559
β€”
DF-0526 Medium ng_fec_choose_port dereferences ether/IP headers without mbuf length validation: OOB read
sys/netgraph/fec/ng_fec.c:897
β€”
DF-0527 Medium ng_fec_choose_port NULL dereference when computed port index removed: reachable panic after port delete
sys/netgraph/fec/ng_fec.c:896
β€”
DF-0528 Medium ng_fec_rmnode infinite loop when member interface vanished: dangling ptr + unkillable loop
sys/netgraph/fec/ng_fec.c:1224
β€”
DF-0529 Medium Double-kfree/interior-pointer kfree in ng_fec_constructor error paths: heap corruption
sys/netgraph/fec/ng_fec.c:1085
β€”
DF-0533 Medium Unsynchronized sc->inq/outq between hard ISR and netgraph forward: ifqueue corruption / UAF
sys/netgraph7/bluetooth/drivers/bt3c/ng_bt3c_pccard.c:939
β€”
DF-0534 Medium Heap OOB read in ngc_send: ng_mesg buffer under-allocated, header fields read out of bounds
sys/netgraph7/socket/ng_socket.c:254
β€”
DF-0535 Medium Integer underflow in ngc_send path-length math: sg_len<2 -> bcopy with SIZE_MAX -> kernel heap smash
sys/netgraph7/socket/ng_socket.c:245
β€”
DF-0536 Medium Unprivileged kernel heap over-read via non-NUL-terminated sg_data in ng_connect_data
sys/netgraph7/socket/ng_socket.c:752
β€”
DF-0540 Medium Uninitialized cmd.ident sent in Command Reject: remote 1-byte kernel stack info leak
sys/netbt/l2cap_signal.c:70
β€”
DF-0547 Medium Ring cleanup trusts userspace-writable buf_idx: cross-adapter double-free / buffer aliasing
sys/net/netmap/netmap_mem2.c:995
β€”
DF-0554 Medium Missing min frame-length check + unsigned STEPBY underflow: kernel heap OOB read in LMI parser
sys/netgraph/lmi/ng_lmi.c:552
β€”
DF-0560 Medium hci_event_command_compl: reads status byte beyond asserted length -> short-event remote kernel panic
sys/netbt/hci_event.c:299
β€”
DF-0562 Medium STEPBY unsigned underflow via missing minimum length check (LMI_MIN_LENGTH defined never used) β€” ng7 twin of DF-0554
sys/netgraph7/lmi/ng_lmi.c:88
β€”
DF-0565 Medium Callout lifetime: ng_uncallout non-synchronizing + nglmi_shutdown omits ng_uncallout β€” ng7 twin of DF-0557
sys/netgraph7/lmi/ng_lmi.c:1053
β€”
DF-0566 Medium ACL reassembly want is uint16_t: overshoot wraps -> L2CAP RX stall + unbounded memory growth
sys/netbt/hci_link.c:421
β€”
DF-0571 Medium kernel panic on any non-TCP/UDP/ICMP packet hitting NAT rule
sys/net/ipfw3_nat/ip_fw3_nat.c:219
β€”
DF-0573 Medium Unvalidated ioc->id used as nats[] index: OOB read/write of pointer array
sys/net/ipfw3_nat/ip_fw3_nat.c:745
β€”
DF-0581 Medium ieee80211_setup_rates trusts attacker-controlled IE length byte: latent heap overflow of rs_rates[15]
sys/netproto/802_11/wlan/ieee80211_input.c:420
β€”
DF-0585 Medium TAPSIFINFO leaks the ifnet serializer on type mismatch (local DoS / kernel wedge)
sys/net/tap/if_tap.c:738
β€”
DF-0586 Medium Lockless global hci_pcb list allows use-after-free during concurrent socket teardown and packet tap
sys/netbt/hci_socket.c:87
β€”
DF-0588 Medium tunwrite leaks mbuf chain on unsupported address family (m_freem(m) vs m_freem(top))
sys/net/tun/if_tun.c:875
β€”
DF-0589 Medium sc->outq mbuf-queue race in ng_h4: IF_DEQUEUE in ng_h4_start (tty ctx) vs IF_DRAIN in disconnect/shutdown (netgraph ctx); NG_H4_LOCK is only per-CPU crit_enter
sys/netgraph7/bluetooth/drivers/h4/ng_h4.c:88
β€”
DF-0596 Medium Unsynchronized SMP race on xmitWin causes heap OOB write on timeSent[] in ng_pptpgre
sys/netgraph/pptpgre/ng_pptpgre.c:121
β€”
DF-0018 Low Duplicate DELETE for same DMSG msgid triggers KKASSERT panic (DoS)
sys/kern/kern_dmsg.c:1076
β€”
DF-0019 Low usched_bsd4.queue_checks accepts <=0 causing NULL-deref/panic in cache-coherent chooseproc
sys/kern/usched_bsd4.c:1483
β€”
DF-0020 Low ELF ABI-note descriptor read out of bounds (note_overflow ignores n_descsz)
sys/kern/imgact_elf.c:1700
β€”
DF-0021 Low Signed-int overflow in oversized kmalloc size reconstruction (*kup << PAGE_SHIFT)
sys/kern/kern_slaballoc.c:1202
β€”
DF-0022 Low PPS_IOC_KCBIND missing privilege check allows unprivileged kernel-PLL binding (NTP confusion)
sys/kern/kern_clock.c:1680
β€”
DF-0024 Low Heap overflow in linker_search_path() via over-long kldload module name
sys/kern/kern_linker.c:1458
β€”
DF-0025 Low Missing privilege check on sys_kldstat()/sys_kldsym() leaks kernel symbol and module addresses
sys/kern/kern_linker.c:940
β€”
DF-0026 Low Root-writable bioq_reorder_minor_interval used as modulus divisor without validation -> divide-by-zero panic
sys/kern/subr_disk.c:1325
β€”
DF-0027 Low wait4/wait6 leak uninitialized kernel stack via status, rusage/wrusage and siginfo on WNOHANG/WCONTINUED return paths
sys/kern/kern_exit.c:913
β€”
DF-0029 Low Unchecked copyin() in jrecord_data leaves stale kernel data in the journal stream
sys/kern/vfs_journal.c:1093
β€”
DF-0030 Low jrecord_write_path goto again can spin indefinitely under concurrent rename (local DoS)
sys/kern/vfs_journal.c:1251
β€”
DF-0031 Low pipe->open_count underflow on pipe_create partial failure leaks kernel KVA and pipe struct
sys/kern/sys_pipe.c:433
β€”
DF-0034 Low Uninitialized st_padding1 leaked to userspace via every stat syscall
sys/kern/vfs_vnops.c:852
β€”
DF-0038 Low journal_putpages UNDO records btoc(a_count) pages instead of a_count bytes (silent rollback corruption)
sys/kern/vfs_jops.c:955
β€”
DF-0040 Low Section-header index not bounds-checked against e_shnum in link_elf_obj_load_file (heap OOB read)
sys/kern/link_elf_obj.c:551
β€”
DF-0041 Low Unbounded st_name / sh_name offsets into symbol/section string tables (heap OOB read via strcmp)
sys/kern/link_elf_obj.c:304
β€”
DF-0042 Low Relocation r_offset never bounds-checked against target section size (OOB / wild kernel write)
sys/kern/link_elf_obj.c:940
β€”
DF-0046 Low Missing SEMVMX upper-bound in semop/semexit allows semval overflow, wrap, spurious wakeups, and rollback corruption
sys/kern/sysv_sem.c:848
β€”
DF-0050 Low msgctl(IPC_STAT) leaks kernel heap pointers (msg_first/msg_last) and uninitialized padding to any local user
sys/kern/sysv_msg.c:324
β€”
DF-0052 Low alst_leaf_alloc corrupts bm_bighint hint by mutating start before the bighint-decision comparison
sys/kern/subr_alist.c:443
β€”
DF-0054 Low Truncated prison-id sysctl node name in prison_sysctl_create (off-by-one in ksnprintf size)
sys/kern/kern_jail.c:993
β€”
DF-0057 Low Missing e_shentsize validation causes heap OOB read on shdr[] array
sys/kern/link_elf.c:590
β€”
DF-0058 Low Unbounded sh_link to symstrindex causes heap OOB read (DF-0040 analogue, worse: no check at all)
sys/kern/link_elf.c:601
β€”
DF-0059 Low Uninitialized segs[1]/segs[0] dereference when fewer than 2 PT_LOAD segments
sys/kern/link_elf.c:399
β€”
DF-0060 Low DT_HASH d_ptr dereferenced without bounds validation - wild kernel read in parse_dynamic
sys/kern/link_elf.c:240
β€”
DF-0061 Low Relocation r_offset never bounds-checked against module size (DF-0042 analogue, wild write)
sys/kern/link_elf.c:714
β€”
DF-0062 Low Unbounded st_name offsets into strtab (DF-0041 analogue, heap OOB read via strcmp)
sys/kern/link_elf.c:698
β€”
DF-0063 Low Hash-chain cycle in link_elf_lookup_symbol causes kernel infinite-loop DoS
sys/kern/link_elf.c:812
β€”
DF-0067 Low add_buffer_randomness_src passes full remaining length (bytes) instead of chunk size (n), defeating cross-CPU entropy splitting
sys/kern/kern_nrandom.c:650
β€”
DF-0071 Low Missing sign/upper-bound validation on vpcount before heap alloc + file read (negative->huge kmalloc M_WAITOK DoS)
sys/kern/kern_checkpoint.c:561
β€”
DF-0072 Low Missing sign/upper-bound validation on cfh_nfiles before heap alloc + file read (DoS; 32-bit integer-overflow heap OOB)
sys/kern/kern_checkpoint.c:596
β€”
DF-0076 Low soisconnected derefs head->so_accf based on inherited child SO_ACCEPTFILTER flag (NULL-deref/UAF race)
sys/kern/uipc_socket2.c:252
β€”
DF-0077 Low Uninitialized kernel stack bytes leaked via kern.ntp_pll.gettime sysctl (struct ntptimeval trailing padding)
sys/kern/kern_ntptime.c:205
β€”
DF-0080 Low MEMRANGE_SET ioctl bypasses securelevel (mem_ioctl never checks FWRITE flag)
sys/kern/kern_memio.c:521
β€”
DF-0084 Low Off-by-one OOB read in get_next_valid_apicid: array indexed before bound check in while condition
sys/kern/subr_cpu_topology.c:91
β€”
DF-0085 Low taskqgroup_drain_all uses wrong loop bound (ncpus instead of tqg_cnt) - latent UAF if API adopted
sys/kern/subr_gtaskqueue.c:806
β€”
DF-0088 Low No runtime validation in free_unrl against out-of-range/double-free (KASSERT-only, defense-in-depth)
sys/kern/subr_unit.c:556
β€”
DF-0089 Low Resource merge in release path ignores address contiguity - creates false spans across unmanaged gaps
sys/kern/subr_rman.c:560
β€”
DF-0090 Low rman_reserve_resource has no count==0 guard - unsigned underflow in range math corrupts resource list
sys/kern/subr_rman.c:205
β€”
DF-0093 Low Kernel heap pointer leaked to userspace via shmctl(IPC_STAT) shm_internal field + struct padding
sys/kern/sysv_shm.c:420
β€”
DF-0095 Low Per-process shmmap_state sized at alloc-time shmseg but all loops re-read LIVE root-writable shminfo.shmseg - OOB when raised
sys/kern/sysv_shm.c:284
β€”
DF-0096 Low sglist_join has reversed bcopy arguments - joins produce stale/garbage segments (dead code, identical to upstream FreeBSD)
sys/kern/subr_sglist.c:583
β€”
DF-0097 Low sglist_consume_uio truncates iov_len (size_t) to int - signedness confusion / data drop (dead code)
sys/kern/subr_sglist.c:383
β€”
DF-0099 Low Off-by-one heap NUL-byte overflow in vfs_mountroot_try via ksscanf width/buffer-size mismatch
sys/kern/vfs_conf.c:419
β€”
DF-0101 Low struct ktr_header written to trace file leaks kernel pointer (ktr_buf) and uninitialized padding
sys/kern/kern_ktrace.c:611
β€”
DF-0102 Low Uninitialized payload fields (ktr_sysret.ktr_eosys, ktr_syscall padding) written to trace file
sys/kern/kern_ktrace.c:139
β€”
DF-0105 Low DT_CALLOUT_ARMED set before callout_reset creates enqueue/cancel race (panic or tq_callouts underflow + spurious UAF)
sys/kern/subr_taskqueue.c:355
β€”
DF-0108 Low Unvalidated d_secsize in writedisklabel enables oversized I/O transfer
sys/kern/subr_disklabel32.c:336
β€”
DF-0111 Low CT_CHAR (%c) non-suppress bcopy reads width bytes without checking inr -> OOB read
sys/kern/subr_scanf.c:307
β€”
DF-0113 Low PT_DETACH reparents tracee to recycled p_oppid PID
sys/kern/sys_process.c:350
β€”
DF-0118 Low Memory leak of dios_io/dios_open on kdmsg state teardown (no destructor for state->any.any)
sys/kern/subr_diskiocom.c:637
β€”
DF-0120 Low Unprivileged read of all kernel env variables (boot/loader secrets)
sys/kern/kern_environment.c:135
β€”
DF-0124 Low Unsynchronized open-mode bookkeeping in cnopen/cnclose (D_MPSAFE)
sys/kern/tty_cons.c:368
β€”
DF-0125 Low sysctl_kern_consmute races cnread/cnwrite/cnioctl forwarding (no lock)
sys/kern/tty_cons.c:257
β€”
DF-0128 Low fp_vpopen NULL deref on td->td_proc when called from pure thread context
sys/kern/kern_fp.c:165
β€”
DF-0129 Low fp_mmap dereferences fp->f_data without NULL check after f_type check
sys/kern/kern_fp.c:472
β€”
DF-0130 Low fp_read all=1 mode can spin indefinitely on persistent EINTR/ERESTART
sys/kern/kern_fp.c:271
β€”
DF-0132 Low Unvalidated sensor type as array index: OOB write in sensor_attach/detach
sys/kern/kern_sensors.c:143
β€”
DF-0133 Low Algorithmic-complexity DoS in EBR recursion (tetranacci explosion)
sys/kern/subr_diskmbr.c:427
β€”
DF-0135 Low Integer overflow in l64_setdisklabel partition bounds check: p_boffset+p_bsize wraparound bypasses ENOSPC
sys/kern/subr_disklabel64.c:304
β€”
DF-0138 Low Cross-jail USER varsym namespace sharing (per-UID not per-jail)
sys/kern/kern_varsym.c:259
β€”
DF-0140 Low Unchecked queue argument -> OOB write on wc_blocked[queue]
sys/kern/subr_sleepqueue.c:266
β€”
DF-0146 Low prop_dictionary/prop_array leaks on several sys_vquotactl paths
sys/kern/vfs_quota.c:374
β€”
DF-0147 Low Signed/unsigned accounting: int64_t delta added to uint64_t ac_bytes can wrap
sys/kern/vfs_quota.c:160
β€”
DF-0148 Low TOCTOU: vq_write_ok check and vfs_stdaccount commit are separate critical sections
sys/kern/vfs_quota.c:443
β€”
DF-0150 Low Unbounded strlen/strcmp on TLV string fields ignores declared length
sys/kern/subr_module.c:69
β€”
DF-0151 Low Fixed-size reads in preload_modinfo_value ignore field length
sys/kern/subr_module.c:374
β€”
DF-0152 Low preload_dump_internal termination check weaker than other walkers; huge len advances pointer
sys/kern/subr_module.c:410
β€”
DF-0156 Low be_uuid_dec decodes time_mid with wrong byte order (le16dec instead of be16dec)
sys/kern/kern_uuid.c:361
β€”
DF-0157 Low xio_uio_copy missing upper-bound check; KKASSERT(bytes>=0) is tautology on unsigned size_t
sys/kern/kern_xio.c:196
β€”
DF-0158 Low Signed uoffset/bytes in copy routines let negative values bypass EFAULT guard
sys/kern/kern_xio.c:235
β€”
DF-0161 Low m_tag_copy_chain reverses tag order: tprev=t misplaced inside else branch
sys/kern/uipc_mbuf2.c:376
β€”
DF-0163 Low module_register_init runs lookup/register/MOD_EVENT without mod_token
sys/kern/kern_module.c:89
β€”
DF-0166 Low syscap_set INPARENT: uid/prison checked without p_token before capability mutation
sys/kern/kern_caps.c:164
β€”
DF-0167 Low syscap_get INPARENT: no same-uid/same-prison authorization: info leak of capability config
sys/kern/kern_caps.c:95
β€”
DF-0170 Low Ignored copyin return feeds uninitialized stack sched_param into ksched
sys/kern/kern_p1003_1b.c:202
β€”
DF-0173 Low Divide-by-zero panic via kern.hz=0 loader tunable
sys/kern/subr_param.c:200
β€”
DF-0174 Low Integer overflow in ncallout via unbounded kern.maxfiles
sys/kern/subr_param.c:282
β€”
DF-0177 Low cttykqfilter forwards knote to ttyvp with no token and no reference
sys/kern/tty_tty.c:284
β€”
DF-0178 Low cttyvp() snapshot read of s_ttyvp unsynchronized vs proc_token-held writers
sys/kern/tty_tty.c:74
β€”
DF-0179 Low Unconditional kernel address leak via kern.proc sysctl (KASLR bypass)
sys/kern/kern_kinfo.c:128
β€”
DF-0182 Low Uninitialized kernel stack memory disclosed via vm.resident sysctl
sys/kern/imgact_resident.c:82
β€”
DF-0183 Low UAF of tsleep wait channel when racing unregister of in-flight resident image
sys/kern/imgact_resident.c:291
β€”
DF-0186 Low vacl_delete silently ignores user-supplied ACL type, always deletes ACL_TYPE_DEFAULT
sys/kern/kern_acl.c:107
β€”
DF-0187 Low vacl_get_acl/aclcheck call VOPs without vnode lock, inconsistent with set/delete
sys/kern/kern_acl.c:88
β€”
DF-0189 Low TOCTOU race in /dev/klog single-open enforcement
sys/kern/subr_log.c:98
β€”
DF-0190 Low logopen performs no jail check beyond devfs file mode
sys/kern/subr_log.c:92
β€”
DF-0191 Low Divide-by-zero panic via log_wakeups_per_second=0 sysctl
sys/kern/subr_log.c:87
β€”
DF-0193 Low vfs_vptofh reads vp->v_mount twice without snapshot/NULL-check
sys/kern/vfs_vfsops.c:266
β€”
DF-0196 Low STAILQ_REMOVE in devstat_remove_entry derefs NULL if node already absent
sys/kern/subr_devstat.c:139
β€”
DF-0198 Low tag_types[tag_type] indexed without bounds check
sys/kern/subr_devstat.c:211
β€”
DF-0199 Low Day-of-month 0 causes unsigned underflow in fattime2timespec (crafted FAT image)
sys/kern/subr_fattime.c:233
β€”
DF-0200 Low Negative tv_sec bypasses 1980-truncate guard in timespec2fattime
sys/kern/subr_fattime.c:150
β€”
DF-0203 Low Sentinel -1 collision: fuwordadd32 fault indistinguishable from mutex value -1
sys/kern/kern_umtx.c:146
β€”
DF-0204 Low umtx_wakeup ignores count argument: over-wakeup / cross-process thundering herd
sys/kern/kern_umtx.c:297
β€”
DF-0208 Low No validation of negative length in clist_qtob/btoq/ndflush
sys/kern/tty_subr.c:127
β€”
DF-0209 Low clist_nextc trusts caller cp without validating within live ring window
sys/kern/tty_subr.c:229
β€”
DF-0212 Low lwkt_serialize_handler_try omits post-acquire re-check of handler-enabled bit
sys/kern/lwkt_serialize.c:189
β€”
DF-0216 Low sysctl_kcollect_data copies past user buffer (unsigned underflow in bounds check)
sys/kern/kern_collect.c:235
β€”
DF-0217 Low sysctl reads kcollect_ary outside lock racing collection thread
sys/kern/kern_collect.c:233
β€”
DF-0221 Low Signed 1<<31 overflow disables Fortuna pool 31 from reseed schedule
sys/kern/subr_csprng.c:203
β€”
DF-0223 Low Missing sched_priority bounds check in SCHED_OTHER + signed-overflow UB in p4prio_to_rtpprio
sys/kern/kern_sched.c:181
β€”
DF-0224 Low ksched_getparam leaves sched_priority uninitialized for non-RT procs -> kernel stack info leak
sys/kern/kern_sched.c:142
β€”
DF-0228 Low hdr_lba_table (uint64) read via le32toh() -> silent 64-to-32 truncation
sys/kern/subr_diskgpt.c:133
β€”
DF-0229 Low uint32 wraparound in table_lba+table_blocks location bounds-check
sys/kern/subr_diskgpt.c:139
β€”
DF-0232 Low SIOCSPGRP invokes fsetown(-INT_MIN) -> signed-overflow UB on attacker-controlled value
sys/kern/sys_socket.c:164
β€”
DF-0233 Low Lockless SLIST traversal of domains list races with crit_enter-only writer
sys/kern/uipc_domain.c:137
β€”
DF-0235 Low No bounds validation on watchdog period (negative/>period_max accepted)
sys/kern/kern_wdog.c:114
β€”
DF-0237 Low TOCTOU on wdog_auto_enable in wdog_ioctl
sys/kern/kern_wdog.c:191
β€”
DF-0238 Low Callout overwrites sysctl-visible wdog_auto_period with driver-reported min
sys/kern/kern_wdog.c:108
β€”
DF-0240 Low suspend_kproc swallows timeout: always returns 0 even when daemon did not stop
sys/kern/kern_kthread.c:195
β€”
DF-0241 Low kproc_start dereferences thread pointer before checking kthread_create error
sys/kern/kern_kthread.c:176
β€”
DF-0248 Low Lockless SLIST traversal in accept_filt_get races with crit_enter-only add/del -> UAF
sys/kern/uipc_accf.c:99
β€”
DF-0249 Low Driver b_resid>b_bcount underflows iolen to huge size_t: oversized copyout leaks kernel heap
sys/kern/kern_physio.c:112
β€”
DF-0253 Low Namecache lock+ref leaked on nc_vp==NULL error path (missing nlookup_done)
sys/kern/vfs_synth.c:82
β€”
DF-0254 Low Namecache reference leaked on every successful call (cache_drop never called)
sys/kern/vfs_synth.c:86
β€”
DF-0256 Low Kernel pointer info leak via kern.file sysctl (f_file, f_data) to unprivileged users
sys/kern/subr_kcore.c:67
β€”
DF-0260 Low tcpopts_match/ipopts_match read options beyond m_pullup-guaranteed contiguous region
sys/net/ipfw/ip_fw2.c:1296
β€”
DF-0261 Low act_ofs copied from user input without validation against cmd_len -> heap OOB read
sys/net/ipfw/ip_fw2.c:4515
β€”
DF-0262 Low IPv6 NAT destination-translation corrupts source address (copy-paste bug)
sys/net/pf/pf.c:3896
β€”
DF-0263 Low ICMP-error NAT for other protocol corrupts inner source (copy-paste bug)
sys/net/pf/pf.c:5732
β€”
DF-0264 Low Unsigned wraparound in p_len when TCP th_off exceeds actual header
sys/net/pf/pf.c:6623
β€”
DF-0267 Low Race condition in fixed Huffman table initialization
sys/net/zlib.c:4496
β€”
DF-0268 Low No decompression bomb (zip bomb) protection
sys/net/zlib.c:3209
β€”
DF-0270 Low OOB read in PAP ACK/NAK debug: wrong bound len+4 should be len-4
sys/net/sppp/if_spppsubr.c:4390
β€”
DF-0274 Low SIOCADDMULTI trusts user sa_len for heap alloc and bcopy without bounds check
sys/net/if.c:2327
β€”
DF-0277 Low Kernel pointer leak via DIOCGETRULE: bcopy of pf_rule exposes kif/anchor/rpool.cur/skip[].ptr
sys/net/pf/pf_ioctl.c:1336
β€”
DF-0278 Low Kernel pointer leak via DIOCGETADDR: bcopy of pf_pooladdr exposes pfi_kif*
sys/net/pf/pf_ioctl.c:2220
β€”
DF-0279 Low Kernel pointer leak via DIOCGETALTQ: bcopy of pf_altq exposes altq_disc
sys/net/pf/pf_ioctl.c:2088
β€”
DF-0280 Low Integer overflow in ptr_array allocation in pf_setup_pfsync_matching (32-bit only theoretical)
sys/net/pf/pf_ioctl.c:942
β€”
DF-0283 Low Unconditional kernel panic if mbuf chain ends with zero-length mbuf
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:1956
β€”
DF-0284 Low Missing per-command payload bounds checks in MCC handlers (OOB read)
sys/netgraph7/bluetooth/socket/ng_btsocket_rfcomm.c:2521
β€”
DF-0288 Low OOB read in mesh peering action: peer_linkid/peer_rcode decoded before length check
sys/netproto/802_11/wlan/ieee80211_mesh.c:2174
β€”
DF-0290 Low GANN sequence comparison not wrap-safe (raw <= on uint32)
sys/netproto/802_11/wlan/ieee80211_mesh.c:2649
β€”
DF-0292 Low Missing privilege check on SIOCG80211 (get path): unpriv info disclosure
sys/netproto/802_11/wlan/ieee80211_ioctl.c:3467
β€”
DF-0293 Low OOB heap read in setwparsnie during WPA/RSN app-IE split
sys/netproto/802_11/wlan/ieee80211_ioctl.c:2319
β€”
DF-0294 Low KASSERT panic/uint16 truncation in get_scan_result from remote IE length
sys/netproto/802_11/wlan/ieee80211_ioctl.c:280
β€”
DF-0295 Low UAF race in setappie: non-atomic pointer swap/free vs concurrent beacon/IE readers
sys/netproto/802_11/wlan/ieee80211_ioctl.c:2272
β€”
DF-0297 Low 1-byte heap OOB read in ng_name_node name-length validation
sys/netgraph7/netgraph/ng_base.c:817
β€”
DF-0298 Low ng_type->refs refcount mutated without typelist lock
sys/netgraph7/netgraph/ng_base.c:636
β€”
DF-0304 Low CARP shared secret key material not zeroed before kfree
sys/netinet/ip_carp.c:307
β€”
DF-0305 Low HMAC comparison uses non-constant-time bcmp: timing side-channel
sys/netinet/ip_carp.c:581
β€”
DF-0307 Low Kernel heap/code pointer leak via SYSCTL_OPAQUE of mfctable and viftable to unprivileged users
sys/net/ip_mroute/ip_mroute.c:90
β€”
DF-0308 Low X_ipip_input reads viftable/last_encap_vif without mroute_token: race with vif teardown
sys/net/ip_mroute/ip_mroute.c:1709
β€”
DF-0309 Low Unbounded pending NOCACHE upcall entries: remote memory-exhaustion DoS when mrouter active
sys/net/ip_mroute/ip_mroute.c:1266
β€”
DF-0310 Low Non-atomic increment of global fragment ID (ip6_id): data race / predictable fragment IDs
sys/netinet6/ip6_output.c:753
β€”
DF-0311 Low Multicast setsockopt discards copyin error: partially-initialized mbuf fed to ip6_setmoptions
sys/netinet6/ip6_output.c:1496
β€”
DF-0312 Low Unchecked ifindex2ifnet[] indexing from embedded address scope-id on loopback output
sys/netinet6/ip6_output.c:577
β€”
DF-0316 Low OOB read: wg_output dereferences 4 bytes from mbuf without length check in BPF AF_UNSPEC path
sys/net/wg/if_wg.c:2289
β€”
DF-0317 Low Unsynchronized global static shared across all WireGuard interfaces in wg_is_underload
sys/net/wg/if_wg.c:1577
β€”
DF-0321 Low Uninitialized stack read of maxunequalmcs when HTC_TXUNEQUAL set but ic_txstream<2
sys/netproto/802_11/wlan/ieee80211_ht.c:1643
β€”
DF-0322 Low No validation of tid/baw before indexing ni_rx_ampdu[tid] and setting rxa_wnd
sys/netproto/802_11/wlan/ieee80211_ht.c:566
β€”
DF-0323 Low ampdu_dispatch re-enters ieee80211_input while iterating rxa_m[] (re-entrancy)
sys/netproto/802_11/wlan/ieee80211_ht.c:616
β€”
DF-0327 Low ieee80211_ies_expand walks IE blob with no length validation: OOB read
sys/netproto/802_11/wlan/ieee80211_node.c:982
β€”
DF-0328 Low node_getmimoinfo loops on untrusted ni_mimo_chains without clamping to array size
sys/netproto/802_11/wlan/ieee80211_node.c:1164
β€”
DF-0329 Low icmp6_redirect_output leaks uninitialized mbuf heap bytes in padded redirected-header option
sys/netinet6/icmp6.c:2560
β€”
DF-0330 Low Global mutable pointer used as qsort comparator state: latent cross-bundle race
sys/netgraph7/ppp/ng_ppp.c:471
β€”
DF-0331 Low Unbounded kprintf on fragment-queue exhaustion: remote log-flood DoS
sys/netgraph7/ppp/ng_ppp.c:1519
β€”
DF-0333 Low Kernel pointer leak to unprivileged users via in_pcblist_range xinpcb dump
sys/netinet/in_pcb.c:2409
β€”
DF-0334 Low Divide-by-zero panic in ephemeral port allocation on degenerate sysctl port range
sys/netinet/in_pcb.c:424
β€”
DF-0336 Low tcp6_getcred hands live cred pointer to blocking copyout (UAF window) unlike IPv4 path
sys/netinet/tcp_subr.c:1366
β€”
DF-0338 Low tcp_mtudisc accepts forged ICMP MTU small enough to drive t_maxseg negative
sys/netinet/tcp_subr.c:1783
β€”
DF-0340 Low in6_ifremloop leaks rtentry refcount when matched route is not loopback host route
sys/netinet6/in6.c:318
β€”
DF-0341 Low in6_lifaddr_ioctl SIOCDLIFADDR copies prefix mask into ifra_dstaddr instead of ifra_prefixmask
sys/netinet6/in6.c:1606
β€”
DF-0344 Low No re-validation of m_len>=hlen after pfil hook rewrite/dummynet re-entry
sys/netinet/ip_input.c:631
β€”
DF-0346 Low Uninitialized stack read of rsnparms on WPS/TSN assoc path bypasses HT-cipher downgrade protection
sys/netproto/802_11/wlan/ieee80211_hostap.c:1934
β€”
DF-0347 Low Undefined behavior: 1<<32 in WPA/RSN cipher selector parsing for unknown OUI
sys/netproto/802_11/wlan/ieee80211_hostap.c:1198
β€”
DF-0353 Low hwmp_recv_perr switches on dest_flags instead of dest_rcode: PERR never actioned
sys/netproto/802_11/wlan/ieee80211_hwmp.c:1768
β€”
DF-0356 Low nd6_resolve ln_hold mbuf accessed without nd6_mtx: UAF race with nd6_timer
sys/netinet6/nd6.c:2078
β€”
DF-0358 Low Sign error in netmap_grab_packets: computes cur+reserved instead of cur-reserved, forwarding wrong slots to host stack
sys/net/netmap/netmap.c:736
β€”
DF-0359 Low Unguarded uint32 subtraction can underflow nr_hwavail causing self-inflicted ring-state corruption
sys/net/netmap/netmap.c:906
β€”
DF-0360 Low nm_dump_buf writes unbounded hex dump into fixed 8 KiB static buffer _dst
sys/net/netmap/netmap.c:322
β€”
DF-0361 Low Default netmap ioctl passthrough fabricates zeroed stack struct socket passed to ifioctl
sys/net/netmap/netmap.c:1488
β€”
DF-0363 Low ieee80211_dump_pkt reads WEP/QoS/4-addr fields without bounds-checking against frame length: OOB read when debug enabled
sys/netproto/802_11/wlan/ieee80211_proto.c:591
β€”
DF-0367 Low lagg_input dereferences ifp->if_lagg unlocked: UAF during concurrent port detach
sys/net/lagg/if_lagg.c:1442
β€”
DF-0370 Low Marker PDU reflection without rate-limiting or request-address validation: on-link amplification DoS
sys/net/lagg/ieee8023ad_lacp.c:1911
β€”
DF-0371 Low Unlocked memcmp of lp_marker before LACP_LOCK: torn-read data race with lacp_xmit_marker
sys/net/lagg/ieee8023ad_lacp.c:1934
β€”
DF-0373 Low delete_pipe uses wrong constant DN_NR_HASH_MAX(16) instead of DN_PIPE_NR_MAX(65536): pipes 17-65536 permanently undeletable
sys/net/dummynet/ip_dummynet.c:1654
β€”
DF-0374 Low config_red divides by (max_th-min_th) and max_th without zero/negative check: kernel panic via setsockopt
sys/net/dummynet/ip_dummynet.c:1346
β€”
DF-0375 Low red_drops divides by fs->lookup_step taken verbatim from user config: panic when lookup_step==0
sys/net/dummynet/ip_dummynet.c:885
β€”
DF-0376 Low Negative qsize bypasses queue-size limit via signed/unsigned comparison: unbounded mbuf accumulation / OOM
sys/net/dummynet/ip_dummynet.c:1437
β€”
DF-0379 Low NGM_BINARY2ASCII heap OOB read via ng_unparse: arglen not validated against mesgType/respType struct size
sys/netgraph/netgraph/ng_base.c:1505
β€”
DF-0380 Low Non-atomic refcount --node->refs/--hook->refs under crit_enter only: cross-CPU UAF/double-free race
sys/netgraph/netgraph/ng_base.c:473
β€”
DF-0381 Low NGM_LISTHOOKS dereferences hook->peer without lock or ref: TOCTOU NULL-deref/UAF vs concurrent disconnect
sys/netgraph/netgraph/ng_base.c:1374
β€”
DF-0383 Low SET_TICKS computes len*8*dn_hz as signed int: overflow for jumbo at high dn_hz β€” same as dummynet v1 unfixed
sys/net/dummynet3/ip_dummynet3.c:450
β€”
DF-0386 Low ng_ppp_frag_checkstale sequence tracking diverges after gaps: stale-packet delivery suppressed
sys/netgraph/ppp/ng_ppp.c:1384
β€”
DF-0387 Low No MRRU enforcement on MP fragment reassembly: peer can assemble oversized PDUs beyond negotiated MRRU
sys/netgraph/ppp/ng_ppp.c:1203
β€”
DF-0389 Low Sockaddr padding not zeroed in rt_msg_buffer/rt_msg_mbuf: 1-7 bytes kernel memory leak per sockaddr
sys/net/rtsock.c:1140
β€”
DF-0390 Low rt_xaddrs accepts sockaddrs with sa_len below _SA_MINSIZE: inconsistent with RO_MISSFILTER validation
sys/net/rtsock.c:1010
β€”
DF-0392 Low Fragment overlap trim uses non-8-aligned shifts for last-fragment overlaps: inconsistent reassembly metadata
sys/net/pf/pf_norm.c:412
β€”
DF-0394 Low SSID/rates/xrates copies rely solely on upstream parse_beacon validation: KASSERT is no-op on production kernels
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:282
β€”
DF-0395 Low sta_lookup returns entry with table lock released: callers dereference unlocked TOCTOU use-after-free window
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:1283
β€”
DF-0396 Low sta_iterate drops table lock across user callback: entry can be freed concurrently use-after-free
sys/netproto/802_11/wlan/ieee80211_scan_sta.c:1413
β€”
DF-0397 Low rt_setshims: unchecked R_Malloc (M_NULLOK) leads to NULL-pointer-write panic via bcopy to NULL
sys/net/route.c:1374
β€”
DF-0399 Low rtredirect_oncpu ignores rt_setgate return: routes redirect that failed or self-targets
sys/net/route.c:421
β€”
DF-0400 Low rt_fixchange indexes mask bytes by key length without verifying mask size: latent OOB read
sys/net/route.c:1130
β€”
DF-0403 Low Unvalidated dst_ring from custom lookup causes OOB index into dst_ents array
sys/net/netmap/netmap_vale.c:1162
β€”
DF-0404 Low Potential OOB ring access in netmap_bwrap_register for NICs with asymmetric TX/RX ring counts
sys/net/netmap/netmap_vale.c:1699
β€”
DF-0407 Low setsockopt(IP_OPTIONS) overwrites copyin error: parses stale mbuf data as IP options on copyin failure
sys/netinet/ip_output.c:1097
β€”
DF-0412 Low Kernel heap OOB read in ng_string_unparse via unbounded strlen on binary data without NUL terminator
sys/netgraph7/netgraph/ng_parse.c:747
β€”
DF-0415 Low Signed integer overflow in keepalive t_maxidle: t_keepintvl*t_keepcnt exceeds INT_MAX at high hz
sys/netinet/tcp_usrreq.c:1644
β€”
DF-0419 Low nd6_ra_input mutates per-interface ND timing state (reachable/retrans/chlim/linkmtu) without nd6_mtx: data race
sys/netinet6/nd6_rtr.c:272
β€”
DF-0421 Low ng_ubt_rcvdata calls panic() on malformed HCI frames from netgraph hook: local DoS
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1755
β€”
DF-0422 Low Missing validation of queue length in NGM_UBT_NODE_SET_QLEN: negative qlen -> uint32 wrap to 0xFFFFFFFF unbounded queuing
sys/netgraph7/bluetooth/drivers/ubt/ng_ubt.c:1625
β€”
DF-0424 Low Unvalidated mf6cc_parent stored in MFC: OOB read in ip6_mdq debug path when parent >= MAXMIFS(64)
sys/netinet6/ip6_mroute.c:751
β€”
DF-0425 Low MRT6 setsockopt handlers cast mtod() without verifying m_len against struct size: reads uninitialized mbuf data
sys/netinet6/ip6_mroute.c:277
β€”
DF-0426 Low MFC table protected only by crit_enter (local-CPU) not token/lock: cross-CPU UAF race
sys/netinet6/ip6_mroute.c:359
β€”
DF-0432 Low Crafted PFSYNC_ACT_BUS endtime prematurely marks pfsync_sync_ok: HA-status spoofing
sys/net/pf/if_pfsync.c:950
β€”
DF-0433 Low bpf_mtap_hdr submits partially-initialized stack mbuf: bpf_mtap reads uninitialized m_pkthdr.rcvif
sys/net/bpf.c:1347
β€”
DF-0434 Low bpf_filter_read (knote f_event) reads bd_* state and re-arms callout without bpf_token: race
sys/net/bpf.c:1206
β€”
DF-0435 Low bpf_movein IEEE80211_RADIO path: ibp_len from user packet drives link-header copy without proper mbuf bounds check
sys/net/bpf.c:264
β€”
DF-0437 Low Receive-path filter dereferences mbuf data without m_pullup: OOB read within mbuf cluster on short first mbuf
sys/netgraph7/bluetooth/socket/ng_btsocket_hci_raw.c:474
β€”
DF-0438 Low Kernel stack info-leak via uninitialized redstats[3] array in hfsc_getqstats copyout
sys/net/altq/altq_hfsc.c:293
β€”
DF-0439 Low hfsc_dequeue panic() on NULL from hfsc_getq: kernel-panic DoS if backlogged class queue drains underneath scheduler
sys/net/altq/altq_hfsc.c:827
β€”
DF-0442 Low rmc_init stores user-driven maxqueued_ without validation: div-by-zero or heap OOB via fixed-size array modulus
sys/net/altq/altq_rmclass.c:680
β€”
DF-0443 Low Integer overflow in scaled scheduler parameter math: maxidle/offtime/pkttime products truncate to 32-bit int
sys/net/altq/altq_rmclass.c:248
β€”
DF-0446 Low SIOCSIFMTU missing lower-bound validation: ifr_mtu=0 or negative accepted, corrupts downstream MSS/fragmentation math
sys/net/if_ethersubr.c:715
β€”
DF-0455 Low MCC multi-byte length decode reverses octet ordering: interoperability bug for MCC frames >= 128 bytes
sys/netbt/rfcomm_session.c:1027
β€”
DF-0456 Low NULL deref in rfcomm_session_complete: credit NULL check under #ifdef DIAGNOSTIC only, no guard on production
sys/netbt/rfcomm_session.c:446
β€”
DF-0462 Low bzero targets wrong field (&conf not &stats) with wrong size (session_stats=32 not sess_config=8): 24-byte intra-struct overflow
sys/netgraph7/l2tp/ng_l2tp.c:748
β€”
DF-0465 Low Handshake state irrevocably corrupted when noise_begin_session kmalloc(M_NOWAIT) fails
sys/net/wg/wg_noise.c:1188
β€”
DF-0468 Low ip6_savecontrol ext-header walk has no nest limit (self-flagged by code comment)
sys/netinet6/ip6_input.c:1214
β€”
DF-0469 Low ip6_get_prevhdr dereferences ip6e without validating len against m_len: fragile implicit contract
sys/netinet6/ip6_input.c:1418
β€”
DF-0478 Low Rule set field not validated: 1<<set with set>=32 is UB enabling rule-set bypass
sys/net/ipfw3/ip_fw3.c:487
β€”
DF-0479 Low ip_fw3_ctl_delete_rule: unchecked direct pointer deref of sopt_val without size validation
sys/net/ipfw3/ip_fw3.c:850
β€”
DF-0480 Low TCP-MD5 signature option construction overflows 40-byte opt[] stack buffer (disabled by default)
sys/netinet/tcp_output.c:779
β€”
DF-0481 Low Integer overflow in root path cost comparison allows topology manipulation via crafted BPDU
sys/net/bridge/bridgestp.c:513
β€”
DF-0482 Low sc_topology_change_time never initialized: premature TC timer expiry defeats topology change notification
sys/net/bridge/bridgestp.c:1465
β€”
DF-0485 Low IPv6 syncache hash uses only 64/128 address bits with 32-bit secret: attacker-guaranteed bucket collisions
sys/netinet/tcp_syncache.c:157
β€”
DF-0486 Low syncache_insert dereferences possibly-uninitialized sc2 in cache-overflow path when cachelimit=0
sys/netinet/tcp_syncache.c:359
β€”
DF-0487 Low sc_flags assign instead of OR wipes SCF_HASH and negotiated-option flags on TF_NOOPT listener
sys/netinet/tcp_syncache.c:1102
β€”
DF-0491 Low NULL td dereference in SIOCSIFDSTADDR and default ioctl handlers despite documented td might be NULL contract
sys/netinet/in.c:606
β€”
DF-0493 Low KASSERT-only bounds check on nack before xwin[] indexing: no runtime protection in production kernels
sys/netgraph/l2tp/ng_l2tp.c:1141
β€”
DF-0496 Low rn_walktree_from dereferences caller-supplied mask without NULL check
sys/net/radix.c:1098
β€”
DF-0498 Low SIOC_L2CAP_L2CA_GET_INFO: unvalidated info_size causes oversized kmalloc + feature non-functional
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:1061
β€”
DF-0499 Low Unprivileged info disclosure: read-only L2CAP node ioctls (GET_CON_LIST, GET_CHAN_LIST) lack privilege check
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:850
β€”
DF-0501 Low netgraph message leak on ioctl timeout-vs-response race
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:910
β€”
DF-0504 Low ng_fec_choose_port dereferences ether/ip/ip6 headers with no mbuf length validation
sys/netgraph7/ng_fec.c:1018
β€”
DF-0505 Low ng_fec_input defined 2 params but assigned to 4-param if_input slot: calling-convention UB
sys/netgraph7/ng_fec.c:862
β€”
DF-0506 Low ng_fec_ether_cmdmulti iterates if_multiaddrs lockless + leaks membership on partial kmalloc failure
sys/netgraph7/ng_fec.c:542
β€”
DF-0511 Low UAF/stale-socket race in deferred upcall ng_ksocket_incoming2: queued so pointer may be freed by shutdown
sys/netgraph7/ksocket/ng_ksocket.c:985
β€”
DF-0512 Low Unbounded sockaddr stored into fixed-size struct sockaddr in accept response: type confusion latent
sys/netgraph7/ksocket/ng_ksocket.c:1250
β€”
DF-0514 Low REJECT_RST copies full 20-byte tcphdr after PULLUP_TO guaranteed only 14: stale mbuf buffer leak in RST
sys/net/ip6fw/ip6_fw.c:629
β€”
DF-0515 Low add_entry6 null-terminates fw_in_if.name but not fw_out_if.name: kfnmatch bounded over-read
sys/net/ip6fw/ip6_fw.c:851
β€”
DF-0516 Low ip6opts_match bails to opts_check on short first mbuf: IPv6 option matching silently skipped -> firewall bypass
sys/net/ip6fw/ip6_fw.c:256
β€”
DF-0519 Low ICMP PMTUD accepts attacker-controlled nextmtu: PMTU poisoning via unauthenticated frag-needed
sys/netinet/ip_icmp.c:282
β€”
DF-0520 Low icmp_reflect reflects source-route/RR/TS IP options into echo reply: info leak + source-route revival
sys/netinet/ip_icmp.c:1025
β€”
DF-0523 Low Deferred INTERNAL_UPCALL re-invokes upcall against torn-down node/socket: UAF/NULL deref (DF-0511 v1 twin)
sys/netgraph/ksocket/ng_ksocket.c:623
β€”
DF-0530 Low ng_fec_free_unit increments usage counter instead of decrementing + global bitmap mutated without locks
sys/netgraph/fec/ng_fec.c:290
β€”
DF-0532 Low bt3c_download_firmware: unvalidated block_size causes heap OOB read of msg->data
sys/netgraph7/bluetooth/drivers/bt3c/ng_bt3c_pccard.c:1121
β€”
DF-0537 Low TOCTOU race on priv->datasock in ng_connect_data: check unlocked, set under lock
sys/netgraph7/socket/ng_socket.c:790
β€”
DF-0541 Low Uninitialized cp.data[0] in Command Reject MTU_EXCEEDED sets link MTU to stack garbage
sys/netbt/l2cap_signal.c:91
β€”
DF-0544 Low hardware_error and data_buffer_overflow: missing NG_HCI_M_PULLUP + length check on 1-byte body
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:826
β€”
DF-0545 Low Buffer accounting u_int16_t wrap in num_compl_pkts via attacker-controlled compl_pkt: throughput DoS
sys/netgraph7/bluetooth/hci/ng_hci_evnt.c:905
β€”
DF-0548 Low bitmap[0]=~3 marks non-existent objects free when pool has <32 objects
sys/net/netmap/netmap_mem2.c:677
β€”
DF-0549 Low netmap_obj_offset returns 0 on error indistinguishable from valid offset 0: masks failures
sys/net/netmap/netmap_mem2.c:227
β€”
DF-0551 Low MTU unsigned underflow when parent MTU < EVL_ENCAPLEN(4)
sys/net/vlan/if_vlan.c:727
β€”
DF-0552 Low VLAN tag match strips priority on input but stores full 16-bit tag: input/output asymmetry
sys/net/vlan/if_vlan.c:605
β€”
DF-0555 Low m_pullup is dead code: packetlen=m_len then m_len<packetlen always false, mbuf chains mis-parsed
sys/netgraph/lmi/ng_lmi.c:575
β€”
DF-0556 Low DLCI array index without local bounds check in nglmi_rcvdata: latent heap OOB write
sys/netgraph/lmi/ng_lmi.c:692
β€”
DF-0557 Low Callout UAF race on hook disconnect/node shutdown: callout_stop doesnt drain ticker
sys/netgraph/lmi/ng_lmi.c:1062
β€”
DF-0563 Low Dead m_pullup: packetlen=m_len makes check tautologically false β€” ng7 twin of DF-0555
sys/netgraph7/lmi/ng_lmi.c:569
β€”
DF-0564 Low DLCI array access lacks local bounds check β€” ng7 twin of DF-0556
sys/netgraph7/lmi/ng_lmi.c:690
β€”
DF-0567 Low Memory leak of in-progress reassembly mbuf when new ACL START arrives
sys/netbt/hci_link.c:471
β€”
DF-0574 Low Uninitialized kernel stack read as alias IPs via count mismatch in copyin
sys/net/ipfw3_nat/ip_fw3_nat.c:756
β€”
DF-0576 Low Callout handlers dereference sc_ttyp before NULL check/token: callout-vs-close race panic
sys/net/sl/if_sl.c:1012
β€”
DF-0577 Low Integer overflow in SLIOCSKEEPAL/SLIOCSOUTFILL interval computation: tight callout loop DoS
sys/net/sl/if_sl.c:398
β€”
DF-0578 Low SLIOCSUNIT struct-assigns embedded callout nodes: callout queue corruption
sys/net/sl/if_sl.c:365
β€”
DF-0582 Low ieee80211_parse_beacon FHPARMS/DSPARMS field reads exceed declared IE length: OOB read
sys/netproto/802_11/wlan/ieee80211_input.c:571
β€”
DF-0583 Low ieee80211_parse_ath heap over-read via short Atheros vendor IE
sys/netproto/802_11/wlan/ieee80211_superg.c:198
β€”
DF-0587 Low NULL vap deref in scan_curchan_task: scan state not re-validated after dropping IEEE80211_LOCK across ic_set_channel
sys/netproto/802_11/wlan/ieee80211_scan_sw.c:741
β€”
DF-0591 Low Legacy netgraph/ng_bridge leaks mbuf+meta when the bridge has exactly one link (numLinks==1 fan-out loop never runs)
sys/netgraph/bridge/ng_bridge.c:663
β€”
DF-0592 Low Uninitialized kernel stack leaked to userspace via fairq_getqstats copyout of struct fairq_classstats
sys/net/altq/altq_fairq.c:282
β€”
DF-0002 Info sys_fhopen returns spurious success (fd 0) on VREG-without-VM-object invariant violation
sys/kern/vfs_syscalls.c:4933
β€”
DF-0004 Info devaddq error path leaks data buffer due to wrong variable checked (loc instead of data)
sys/kern/subr_bus.c:615
β€”
DF-0007 Info Uninitialized struct sigaction trailing padding leaked to userspace via oact copyout
sys/kern/kern_sig.c:260
β€”
DF-0012 Info vop_nremove quota-accounting glue: latent NULL-deref on nc_vp, nlink TOCTOU, wrong mount for PFS overlays
sys/kern/vfs_vopops.c:1660
β€”
DF-0023 Info Missing return after EINVAL in sys_read/sys_write/sys_extpwrite bypasses nbyte>SSIZE_MAX guard
sys/kern/sys_generic.c:130
β€”
DF-0036 Info %n format specifier enabled in kernel printf engine with zero in-tree consumers
sys/kern/subr_prf.c:688
β€”
DF-0037 Info sys_getpgid / sys_getsid lack cross-session visibility checks (unprivileged pgid/sid enumeration)
sys/kern/kern_prot.c:106
β€”
DF-0043 Info SYSCTL_INT declared for long counters (auxrecovervnodes1/2) - type/size mismatch
sys/kern/vfs_lock.c:109
β€”
DF-0048 Info CALLOUT_PREVENTED set on wrong structure (verifier/cc) vs read from backend _callout -> wrong callout_stop/cancel/drain return
sys/kern/kern_timeout.c:600
β€”
DF-0049 Info IPI ring/serial indices are signed int, incremented without wraparound handling (overflow after ~2^31 messages)
sys/kern/lwkt_ipiq.c:218
β€”
DF-0051 Info msgsnd lacks explicit MSGMAX upper-bound check; msg_ts (u_short) silently truncates when MSGMNB compiled > 65535 (latent panic)
sys/kern/sysv_msg.c:50
β€”
DF-0064 Info Unsynchronized data race on desc->total_objects (statistics-only, no security impact)
sys/kern/kern_objcache.c:357
β€”
DF-0065 Info OOB read of thread struct before panic in lwkt_reltoken assertion path (console-only, no userspace leak)
sys/kern/lwkt_token.c:841
β€”
DF-0066 Info Undefined behavior: shift by sysctl-controlled token_window_shift in backoff spin
sys/kern/lwkt_token.c:398
β€”
DF-0068 Info IBAA-only RNG mode (rand_mode==1) has no seeding-readiness gate before first output
sys/kern/kern_nrandom.c:700
β€”
DF-0069 Info Signed integer overflow (C UB) in lock range end calculation (caught by guard, no corruption reachable)
sys/kern/kern_lockf.c:227
β€”
DF-0073 Info Pointless cfi++ causes 1-element OOB read in DEBUG builds (elf_getfiles)
sys/kern/kern_checkpoint.c:667
β€”
DF-0078 Info pps_shift/pps_shiftmax sysctl lack range validation allowing UB shift counts in hardpps (root self-DoS)
sys/kern/kern_ntptime.c:265
β€”
DF-0082 Info Latent heap overflow in sbuf_extend via int truncation of caller length (zero callers, unreachable today)
sys/kern/subr_sbuf.c:150
β€”
DF-0086 Info dev_dopen dereferences inner *a_fpp without NULL check (latent panic, no current trigger)
sys/kern/kern_device.c:151
β€”
DF-0087 Info Signed integer overflow (C UB) in new_unrhdr last computation when high=INT_MAX
sys/kern/subr_unit.c:257
β€”
DF-0091 Info Lock-order inversion between sysctl_rman and rman_fini creates ABBA deadlock potential (rman_fini dead code)
sys/kern/subr_rman.c:155
β€”
DF-0092 Info sysctl_rman leaks 4 bytes uninitialized kernel stack via struct u_resource trailing padding
sys/kern/subr_rman.c:700
β€”
DF-0094 Info shmrealloc initializes OLD shmsegs[] instead of newsegs[] - heap OOB write + uninit new array (dead code)
sys/kern/sysv_shm.c:683
β€”
DF-0098 Info sglist_consume_uio loop does not check uio_iovcnt before reading uio_iov (defense-in-depth, dead code)
sys/kern/subr_sglist.c:402
β€”
DF-0100 Info Missing NULL check on vfsconf_find_by_name("devfs") before dereference in vfs_mountroot_devfs
sys/kern/vfs_conf.c:300
β€”
DF-0104 Info Boot-time ktr_buf/ktr_entries_mask publication relies on TSO (no explicit read-side barrier, x86-only safe)
sys/kern/kern_ktr.c:231
β€”
DF-0109 Info l32_fixlabel partition loop lacks internal d_npartitions cap
sys/kern/subr_disklabel32.c:592
β€”
DF-0112 Info __sccl scanset range-fill writes tab[256] when range endpoint is 0xFF
sys/kern/subr_scanf.c:605
β€”
DF-0114 Info PT_IO trusts user piod_len without bounds check; narrows size_t into ssize_t uio_resid
sys/kern/sys_process.c:429
β€”
DF-0115 Info sys_ptrace discards copyout error returning PT_IO descriptor
sys/kern/sys_process.c:112
β€”
DF-0116 Info copyin/copyout/uiomove_nofault clear TDF_NOFAULT unconditionally instead of save/restore
sys/kern/kern_subr.c:60
β€”
DF-0119 Info Latent OOB write if aux_data/aux_size invariant breaks
sys/kern/subr_diskiocom.c:207
β€”
DF-0121 Info Signed/unsigned confusion defeats length clamp in KENV_GET
sys/kern/kern_environment.c:141
β€”
DF-0122 Info kgetenv_quad signed-shift overflow on magnitude-suffixed values
sys/kern/kern_environment.c:436
β€”
DF-0123 Info kernenv_next unbounded walk of bootloader static env
sys/kern/kern_environment.c:510
β€”
DF-0126 Info TIOCCONS privilege check skipped when a_cred is NULL
sys/kern/tty_cons.c:486
β€”
DF-0127 Info cndbctl uses unlocked static refcount
sys/kern/tty_cons.c:570
β€”
DF-0131 Info fp_mmap size arithmetic can wrap past SSIZE_MAX after signedness check
sys/kern/kern_fp.c:409
β€”
DF-0153 Info EXCLWAIT bitfield can overflow into SPINLOCK_SHARED bit; no bounds guard
sys/kern/kern_spinlock.c:206
β€”
DF-0154 Info KKASSERT-only invariants vanish on production kernels (UAF/queue-corruption risk)
sys/kern/kern_systimer.c:148
β€”
DF-0155 Info Division by unvalidated freq<=0 -> kernel divide-by-zero panic
sys/kern/kern_systimer.c:269
β€”
DF-0159 Info xio_init_pages accepts negative npages; only upper bound asserted
sys/kern/kern_xio.c:142
β€”
DF-0160 Info xio_init_kbuf silently truncates when kbytes exceeds XIO_INTERNAL_SIZE
sys/kern/kern_xio.c:113
β€”
DF-0164 Info sys_modstat copyout non-NUL-terminated module name when name>=MAXMODNAME
sys/kern/kern_module.c:348
β€”
DF-0168 Info Lazy objcache creation in sysref_alloc is racy (no lock on srclass->oc init)
sys/kern/kern_sysref.c:142
β€”
DF-0169 Info sysref_get has no refcount overflow guard
sys/kern/kern_sysref.c:66
β€”
DF-0171 Info Ignored copyout return in sys_sched_getparam
sys/kern/kern_p1003_1b.c:245
β€”
DF-0172 Info mpipe_free reads/writes mpipe->pending outside the lwkt_token
sys/kern/kern_mpipe.c:344
β€”
DF-0175 Info Integer overflow in NPROC macro via unbounded kern.maxusers
sys/kern/subr_param.c:56
β€”
DF-0180 Info Fragile zeroing contract for fill_kinfo_lwp aggregation (+=)
sys/kern/kern_kinfo.c:219
β€”
DF-0184 Info Lockless read of exec_res_id counter mutated under list lock
sys/kern/imgact_resident.c:138
β€”
DF-0188 Info No defense-in-depth privilege check; acl_cnt not bounds-validated pre-VOP
sys/kern/kern_acl.c:74
β€”
DF-0192 Info Concurrent writer/reader cursor updates on msg_bufl unsynchronized
sys/kern/subr_log.c:153
β€”
DF-0194 Info vfs_mount caches mnt_cred with unlocked check-then-set
sys/kern/vfs_vfsops.c:89
β€”
DF-0197 Info sysctl_devstat copies full struct devstat including unset fields and padding
sys/kern/subr_devstat.c:289
β€”
DF-0201 Info dhp computed from raw tv_sec instead of UTC-adjusted t1
sys/kern/subr_fattime.c:150
β€”
DF-0205 Info Timeout conversion uses 32-bit int arithmetic that can overflow
sys/kern/kern_umtx.c:188
β€”
DF-0206 Info Dead code: offset computed and never used in both syscalls
sys/kern/kern_umtx.c:114
β€”
DF-0210 Info clist_catq infinite loop on aliasing (cls==cld)
sys/kern/tty_subr.c:294
β€”
DF-0211 Info No negative-size guard on ccmax in clist_alloc_cblocks
sys/kern/tty_subr.c:61
β€”
DF-0213 Info last_td tracking field uses non-atomic plain load/store racy on SMP
sys/kern/lwkt_serialize.c:112
β€”
DF-0214 Info handler_disable discards in-flight indicator from atomic_intr_handler_disable
sys/kern/lwkt_serialize.c:149
β€”
DF-0215 Info Wait-counter inc/dec can overflow into control bits (theoretical)
sys/kern/lwkt_serialize.c:271
β€”
DF-0218 Info kcollect_setvalue divides by kcollect_samples without guard
sys/kern/kern_collect.c:128
β€”
DF-0219 Info kcollect_setscale/setvalue mutate shared state without kcollect_lock
sys/kern/kern_collect.c:124
β€”
DF-0222 Info csprng_get_random byte count signed int: huge u_int requests silently truncate to 0
sys/kern/subr_csprng.c:127
β€”
DF-0225 Info Implicit undocumented locking contract on lwp_rtprio writes
sys/kern/kern_sched.c:175
β€”
DF-0230 Info table_blocks computed before entries/entsz validation (fragile ordering)
sys/kern/subr_diskgpt.c:131
β€”
DF-0231 Info Buffer-size safety depends solely on KKASSERT debug assertions
sys/kern/subr_diskgpt.c:93
β€”
DF-0242 Info TOCTOU: td_proc NULL check without holding kpsus_token
sys/kern/kern_kthread.c:190
β€”
DF-0244 Info ldisc_deregister missing lower-bound check: negative index OOB write into linesw[]
sys/kern/tty_conf.c:122
β€”
DF-0247 Info cpuid bounds check is KASSERT-only β€” compiled out in production kernels
sys/kern/subr_cpuhelper.c:45
β€”
DF-0250 Info Dead page-alignment computation: iolen computed but never applied
sys/kern/kern_physio.c:88
β€”
DF-0251 Info PC_TO_INDEX u_quad_t overflow on 64-bit (correctness only, bounds check prevents OOB)
sys/kern/subr_prof.c:86
β€”
DF-0252 Info Theoretical cross-field torn-read between sys_profil multi-field update and addupc
sys/kern/subr_prof.c:68
β€”
DF-0255 Info Non-atomic RMW on global synth_synced counter (race)
sys/kern/vfs_synth.c:49
β€”
DF-0299 Info ng_bypass rewrites peer back-pointers without topology lock
sys/netgraph7/netgraph/ng_base.c:1207
β€”
DF-0300 Info ng_decodeidname truncates u_long to ng_ID_t without range check
sys/netgraph7/netgraph/ng_base.c:919
β€”
DF-0313 Info Sticky Hop-by-Hop/Destination options un-settable: hardcoded priv=0 always returns EPERM for root
sys/netinet6/ip6_output.c:2019
β€”
DF-0314 Info Inconsistent privilege enforcement: RFC3542 GET path lacks priv check present in RFC2292 path
sys/netinet6/ip6_output.c:1942
β€”
DF-0318 Info Inconsistent atomic vs non-atomic access to wg_packet::p_state
sys/net/wg/if_wg.c:508
β€”
DF-0319 Info Lockless torn reads of multi-word struct wg_endpoint in fast paths
sys/net/wg/if_wg.c:746
β€”
DF-0324 Info HT cap/info IE parsers perform no own length validation (caller-trust fragile)
sys/netproto/802_11/wlan/ieee80211_ht.c:1418
β€”
DF-0332 Info Statistics counters read without lock: torn 64-bit reads
sys/netgraph7/ppp/ng_ppp.c:647
β€”
DF-0335 Info in_pcbportrange can invert hi<lo causing u_short underflow and out-of-range port binds
sys/netinet/in_pcb.c:2533
β€”
DF-0339 Info tcp_new_isn last_offset signed int overflow-wrap on churn (UB / monotonicity erosion)
sys/netinet/tcp_subr.c:1670
β€”
DF-0342 Info in6_update_ifa inconsistent error handling on multicast group joins
sys/netinet6/in6.c:1144
β€”
DF-0343 Info IPv6 address configured while interface is down bypasses Duplicate Address Detection entirely
sys/netinet6/in6.c:1070
β€”
DF-0345 Info IP header checksum left stale after kernel records RR/TS options on locally-delivered packets
sys/netinet/ip_input.c:1702
β€”
DF-0348 Info Missing m_pullup for management frames: no guarantee frame header contiguous
sys/netproto/802_11/wlan/ieee80211_hostap.c:594
β€”
DF-0357 Info nd6_cache_lladdr ignores lladdrlen parameter, uses ifp->if_addrlen for bcopy
sys/netinet6/nd6.c:1768
β€”
DF-0364 Info ieee80211_fix_rate and findrix iterate rs_rates without validating rs_nrates <= IEEE80211_RATE_MAXSIZE: missing defense-in-depth
sys/netproto/802_11/wlan/ieee80211_proto.c:623
β€”
DF-0368 Info lagg_clone_create error path calls if_free on embedded ifnet: latent double-free if protocol attach ever fails
sys/net/lagg/if_lagg.c:304
β€”
DF-0369 Info lagg_port_ioctl fallback forwards ioctl to driver but always returns EINVAL discarding result
sys/net/lagg/if_lagg.c:896
β€”
DF-0372 Info Undefined behavior shift 1 << if_dunit for member NIC unit numbers >= 32
sys/net/lagg/ieee8023ad_lacp.c:310
β€”
DF-0377 Info config_red error path kfrees struct that may be embedded member of dn_pipe: latent UAF/invalid-free
sys/net/dummynet/ip_dummynet.c:1359
β€”
DF-0378 Info SET_TICKS computes len*8*dn_hz in int: overflow for jumbo packets at high dn_hz -> shaper bypass
sys/net/dummynet/ip_dummynet.c:431
β€”
DF-0384 Info delete_pipe uses DN_NR_HASH_MAX(16) instead of DN_PIPE_NR_MAX(65536): pipes 17-65536 undeletable β€” same as v1
sys/net/dummynet3/ip_dummynet3.c:1645
β€”
DF-0385 Info config_red kfrees caller-owned possibly-embedded struct on red_lookup_depth==0 path: latent UAF β€” same as v1
sys/net/dummynet3/ip_dummynet3.c:1364
β€”
DF-0398 Info rt_setshims leaks previously allocated shims on partial allocation failure
sys/net/route.c:1374
β€”
DF-0405 Info Missing null-termination of bdg_basename when namelen==IFNAMSIZ: OOB read in debug format strings
sys/net/netmap/netmap_vale.c:331
β€”
DF-0408 Info ip_optcopy validates IP-option lengths only with KASSERT (no-op on production): latent OOB read
sys/netinet/ip_output.c:1018
β€”
DF-0409 Info Unprivileged users can install IP source-route options (LSRR/SSRR) without privilege check
sys/netinet/ip_output.c:1097
β€”
DF-0413 Info Primitive parse functions write to output buffer without checking *buflen: missing defense-in-depth bounds check
sys/netgraph7/netgraph/ng_parse.c:332
β€”
DF-0416 Info TCP_MAXSEG minmss floor can raise t_maxseg above current negotiated value on small-MTU paths
sys/netinet/tcp_usrreq.c:1613
β€”
DF-0427 Info ip6_mrouter_set performs no explicit capability check: relies entirely on raw-socket attach privilege
sys/netinet6/ip6_mroute.c:265
β€”
DF-0440 Info red_pkttime computed as int64 then stored into int: truncation/overflow for jumbo MTU or low m2
sys/net/altq/altq_hfsc.c:451
β€”
DF-0444 Info rmc_newclass does not reject negative priority: only checks upper bound, latent negative array index
sys/net/altq/altq_rmclass.c:201
β€”
DF-0447 Info AF_ARP output case is dead code carrying latent uninitialized-read/OOB-read: mtod returns ether_header not arphdr after M_PREPEND
sys/net/if_ethersubr.c:237
β€”
DF-0448 Info Safety-critical checks rely on KASSERT/KKASSERT which are no-ops on production kernels without INVARIANTS
sys/net/if_ethersubr.c:993
β€”
DF-0452 Info Octal/hex escape loops in ng_get_string_token: counter k never incremented, consumes all consecutive digits
sys/netgraph/netgraph/ng_parse.c:1599
β€”
DF-0459 Info user_frac sysctl accepts any uint32 without range validation (documented 0-100)
sys/net/if_poll.c:1116
β€”
DF-0460 Info status_frac / tx_frac sysctls have no upper bound: signed int overflow in ifpoll_compat_setup
sys/net/if_poll.c:1497
β€”
DF-0461 Info Potential signed integer overflow in kern_load burst-adaptation math
sys/net/if_poll.c:1019
β€”
DF-0463 Info Lockless write to seq->inproc in M_PREPEND failure path: data race
sys/netgraph7/l2tp/ng_l2tp.c:957
β€”
DF-0464 Info bzero (not explicit_bzero) used to clear sensitive key material in heap structs: DSE risk
sys/net/wg/wg_noise.c:411
β€”
DF-0466 Info Potentially unaligned 64-bit write constructing transport AEAD nonce
sys/net/wg/wg_noise.c:996
β€”
DF-0467 Info Dead code in ip6_savecontrol: RTHDRDSTOPTS walk result discarded, RFC3542 semantics not implemented
sys/netinet6/ip6_input.c:1173
β€”
DF-0470 Info Disabling ip6_hdrnestlimit sysctl (=0) removes only ext-header depth bound: no hard floor
sys/netinet6/ip6_input.c:693
β€”
DF-0483 Info No validation of attacker-supplied STP timer values from winning root bridge BPDU
sys/net/bridge/bridgestp.c:393
β€”
DF-0488 Info Hash secret only 32-bit + sc_flags 8-bit near exhaustion: hardening gaps
sys/netinet/tcp_syncache.c:118
β€”
DF-0500 Info Response handlers trust count/size fields without checking pcb->msg arglen: defense-in-depth gap
sys/netgraph7/bluetooth/socket/ng_btsocket_l2cap_raw.c:917
β€”
DF-0507 Info IPv6 port-selection hash XORs destination with itself: always zero, no load balancing
sys/netgraph7/ng_fec.c:1056
β€”
DF-0517 Info IPV6_FW_GET leaks one unused mbuf per call + walks chain without lock
sys/net/ip6fw/ip6_fw.c:1101
β€”
DF-0531 Info NGM_FEC_SET_MODE_INET6 sets mode unhandled by output path: all packets silently dropped
sys/netgraph/fec/ng_fec.c:1180
β€”
DF-0538 Info Type-confused stack buffer: char *addrbuf[NG_HOOKSIZ+4] is pointer array not byte array
sys/netgraph7/socket/ng_socket.c:981
β€”
DF-0539 Info ieee80211_node_dectestref implements non-atomic decrement-and-test: latent UAF trap
sys/netproto/802_11/wlan/ieee80211_dragonfly.c:497
β€”
DF-0550 Info Ring-size computation uses 32-bit multiply without overflow check: latent heap overflow
sys/net/netmap/netmap_mem2.c:927
β€”
DF-0553 Info SIOCSETVLAN accepts reserved VLAN IDs (0 and 0xFFF) without validation
sys/net/vlan/if_vlan.c:996
β€”
DF-0561 Info hci_event ignores hci_event_hdr_t.length: per-spec bound for all variable-length events dropped (root cause)
sys/netbt/hci_event.c:163
β€”
DF-0568 Info ACL/SCO packet type and length validation only compiled under #ifdef DIAGNOSTIC
sys/netbt/hci_link.c:431
β€”
DF-0575 Info Wrong timeout variable for inbound TCP/UDP state cleanup: 6x/3x premature expiry
sys/net/ipfw3_nat/ip_fw3_nat.c:971
β€”
DF-0579 Info Unbounded mbuf-to-stack copy in slstart BPF path: latent stack overflow
sys/net/sl/if_sl.c:536
β€”
DF-0584 Info ieee80211_ff_decap skips framelen validation: truncated frame delivery
sys/netproto/802_11/wlan/ieee80211_superg.c:309
β€”
DF-0593 Info Latent UAF: fairq_class_destroy does not clear dangling pif_default pointer (currently unreachable via pf ioctls)
sys/net/altq/altq_fairq.c:428
β€”
DF-0595 Info Michael MIC verification uses non-constant-time memcmp (defense-in-depth)
sys/netproto/802_11/wlan_tkip/ieee80211_crypto_tkip.c:359
β€”