CVE-2026-2261 (GCVE-0-2026-2261)
Vulnerability from cvelistv5 – Published: 2026-03-09 12:10 – Updated: 2026-03-11 15:02
VLAI?
Title
blocklistd(8) socket leak
Summary
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Severity ?
7.5 (High)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Date Public ?
2026-02-10 19:00
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:02:47.286466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:02:53.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"blocklistd"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p3",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
}
]
}
],
"datePublic": "2026-02-10T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.\n\nOnce a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.\n\nOnce a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.\n\nAn attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.\n\nEven in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.\n\nThe accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T12:10:08.194Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:03.blocklistd.asc"
}
],
"title": "blocklistd(8) socket leak",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-2261",
"datePublished": "2026-03-09T12:10:08.194Z",
"dateReserved": "2026-02-09T17:48:49.244Z",
"dateUpdated": "2026-03-11T15:02:53.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-2261\",\"sourceIdentifier\":\"secteam@freebsd.org\",\"published\":\"2026-03-09T13:15:57.093\",\"lastModified\":\"2026-03-17T15:54:31.733\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.\\n\\nOnce a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.\\n\\nOnce a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.\\n\\nAn attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.\\n\\nEven in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.\\n\\nThe accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.\"},{\"lang\":\"es\",\"value\":\"Debido a un error de programaci\u00f3n, blocklistd filtra un descriptor de socket por cada informe de evento adverso que recibe.\\n\\nUna vez que se alcanza un cierto n\u00famero de sockets filtrados, blocklistd ya no puede ejecutar el script auxiliar: se bifurca un proceso hijo, pero este hijo desreferencia un puntero nulo y falla antes de poder ejecutar el auxiliar. En este punto, blocklistd todav\u00eda registra eventos adversos pero no puede bloquear nuevas direcciones o desbloquear direcciones cuyas entradas en la base de datos han caducado.\\n\\nUna vez que se alcanza un segundo n\u00famero, mucho mayor, de sockets filtrados, blocklistd ya no puede recibir nuevos informes de eventos adversos.\\n\\nUn atacante puede aprovechar esto al desencadenar un gran n\u00famero de eventos adversos desde direcciones IP de sacrificio para deshabilitar eficazmente blocklistd antes de lanzar un ataque.\\n\\nIncluso en ausencia de ataques o sondeos por parte de posibles atacantes, los eventos adversos ocurrir\u00e1n regularmente en el curso de las operaciones normales, y blocklistd se quedar\u00e1 gradualmente sin descriptores de archivo y se volver\u00e1 ineficaz.\\n\\nLa acumulaci\u00f3n de sockets abiertos puede tener efectos en cadena en otras partes del sistema, lo que resultar\u00e1 en una ralentizaci\u00f3n general hasta que se reinicie blocklistd.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secteam@freebsd.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA4AAA57-70A7-4717-ACF2-A253E757FF2C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E24ABFA6-4D12-4DE5-832B-438502C7D188\"}]}]}],\"references\":[{\"url\":\"https://security.freebsd.org/advisories/FreeBSD-SA-26:03.blocklistd.asc\",\"source\":\"secteam@freebsd.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-2261\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T15:02:47.286466Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T15:02:33.155Z\"}}], \"cna\": {\"title\": \"blocklistd(8) socket leak\", \"affected\": [{\"vendor\": \"FreeBSD\", \"modules\": [\"blocklistd\"], \"product\": \"FreeBSD\", \"versions\": [{\"status\": \"affected\", \"version\": \"15.0-RELEASE\", \"lessThan\": \"p3\", \"versionType\": \"release\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2026-02-10T19:00:00.000Z\", \"references\": [{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-26:03.blocklistd.asc\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.\\n\\nOnce a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.\\n\\nOnce a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.\\n\\nAn attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.\\n\\nEven in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.\\n\\nThe accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-772\", \"description\": \"CWE-772: Missing Release of Resource after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"shortName\": \"freebsd\", \"dateUpdated\": \"2026-03-09T12:10:08.194Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-2261\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T15:02:53.159Z\", \"dateReserved\": \"2026-02-09T17:48:49.244Z\", \"assignerOrgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"datePublished\": \"2026-03-09T12:10:08.194Z\", \"assignerShortName\": \"freebsd\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…