Back to overview

CVE-2026-15449

MEDIUM
5.8
CVSS 4.0
Description
A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.

Metadata

CVE ID
CVE-2026-15449
State
PUBLISHED
Assigner
illumos
Reserved
2026-07-10 19:23 UTC
Published
2026-07-16 19:27 UTC
Last updated
2026-07-17 12:42 UTC
Primary CWE
CWE-367
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product
illumos / illumos-gate
Sources
cve.org  ·  NVD

Severity & Metrics

5.8 MEDIUM CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (3)
VendorProductPlatformVersions
illumos illumos-gate eae72b5b807baa9116e64502cbb278edf15f3146 < 6959feb5b430411a4809b06c53dcdb42fb525eac
OmniOS OmniOS any < r151054, r151058 < r151058j, r151056 < r151056aj, r151054 < r151054bj
Triton Data Center SmartOS any < 202060709
Weakness (CWE)
CWESourceDescription
CWE-122 cna CWE-122 Heap-based Buffer Overflow
CWE-367 cna CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.8 MEDIUM 4.0 cna CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview