Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    4 vulnerabilities by Triton Data Center

    CVE-2026-15449 (GCVE-0-2026-15449)

    Vulnerability from nvd – Published: 2026-07-16 19:27 – Updated: 2026-07-16 19:27
    VLAI
    Title
    TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption
    Summary
    A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    illumos illumos-gate Affected: eae72b5b807baa9116e64502cbb278edf15f3146 , < 6959feb5b430411a4809b06c53dcdb42fb525eac (git)
    Create a notification for this product.
    OmniOS OmniOS Affected: any , < r151054 (custom)
    Affected: r151058 , < r151058j (custom)
    Affected: r151056 , < r151056aj (custom)
    Affected: r151054 , < r151054bj (custom)
    Create a notification for this product.
    Triton Data Center SmartOS Affected: any , < 202060709 (custom)
    Create a notification for this product.
    Date Public
    2026-07-08 19:00
    Credits
    Nick Wilkens of Edgecast Cloud Dan McDonald
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "kernel",
                "dld"
              ],
              "product": "illumos-gate",
              "programFiles": [
                "usr/src/uts/common/io/dld/dld_drv.c",
                "usr/src/uts/common/sys/dld.h"
              ],
              "repo": "https://github.com/illumos/illumos-gate",
              "vendor": "illumos",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6959feb5b430411a4809b06c53dcdb42fb525eac",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "6959feb5b430411a4809b06c53dcdb42fb525eac",
                  "status": "affected",
                  "version": "eae72b5b807baa9116e64502cbb278edf15f3146",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "OmniOS",
              "vendor": "OmniOS",
              "versions": [
                {
                  "lessThan": "r151054",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151058j",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151058j",
                  "status": "affected",
                  "version": "r151058",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151056aj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151056aj",
                  "status": "affected",
                  "version": "r151056",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151054bj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151054bj",
                  "status": "affected",
                  "version": "r151054",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "SmartOS",
              "vendor": "Triton Data Center",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "20260709",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "202060709",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nick Wilkens of Edgecast Cloud"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dan McDonald"
            }
          ],
          "datePublic": "2026-07-08T19:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cpre\u003eA time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.\u003c/pre\u003e"
                }
              ],
              "value": "A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            },
            {
              "capecId": "CAPEC-30",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T19:27:16.036Z",
            "orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
            "shortName": "illumos"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://illumos.topicbox.com/groups/developer/T923147fae854a738-M03c29e1be33dac2a5e3d9535/18020-double-copyin-of-dldioc-consumers"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://illumos.org/issues/18020"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/illumos/illumos-gate/commit/6959feb5b430411a4809b06c53dcdb42fb525eac"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update your illumos distribution to one that includes the fix for issue 18020."
                }
              ],
              "value": "Update your illumos distribution to one that includes the fix for issue 18020."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-08T19:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No mitigation is available. The referenced notification includes a DTrace script that detects exploitation attempts."
                }
              ],
              "value": "No mitigation is available. The referenced notification includes a DTrace script that detects exploitation attempts."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
        "assignerShortName": "illumos",
        "cveId": "CVE-2026-15449",
        "datePublished": "2026-07-16T19:27:16.036Z",
        "dateReserved": "2026-07-10T19:23:40.195Z",
        "dateUpdated": "2026-07-16T19:27:16.036Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15422 (GCVE-0-2026-15422)

    Vulnerability from nvd – Published: 2026-07-16 19:29 – Updated: 2026-07-16 19:29
    VLAI
    Title
    SCTP needs to better-check INIT ACK chunk parameters
    Summary
    The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    illumos illumos-gate Affected: a5407c02d5ed61b29481b9b71f1307d7ebec9e5c , < 53a3efdeff8e6745bbfb69c5360f94962fb79e75 (git)
    Create a notification for this product.
    OmniOS OmniOS Affected: r151058 , < r151058j (custom)
    Affected: r151056 , < r151056aj (custom)
    Affected: r151054 , < r151054bj (custom)
    Affected: any , < r151054 (custom)
    Create a notification for this product.
    Triton Data Center SmartOS Affected: any , < 202060709 (custom)
    Create a notification for this product.
    Date Public
    2026-07-08 18:00
    Credits
    Sourque Dan McDonald
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "kernel",
                "SCTP"
              ],
              "product": "illumos-gate",
              "programFiles": [
                "usr/src/uts/common/inet/sctp/sctp_hash.c"
              ],
              "repo": "https://github.com/illumos/illumos-gate",
              "vendor": "illumos",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
                  "status": "affected",
                  "version": "a5407c02d5ed61b29481b9b71f1307d7ebec9e5c",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "OmniOS",
              "vendor": "OmniOS",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "r151058j",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151058j",
                  "status": "affected",
                  "version": "r151058",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151056aj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151056aj",
                  "status": "affected",
                  "version": "r151056",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151054bj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151054bj",
                  "status": "affected",
                  "version": "r151054",
                  "versionType": "custom"
                },
                {
                  "lessThan": "r151054",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "SmartOS",
              "vendor": "Triton Data Center",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "20260709",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "202060709",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sourque"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dan McDonald"
            }
          ],
          "datePublic": "2026-07-08T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cpre\u003eThe illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\u003c/pre\u003e"
                }
              ],
              "value": "The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            },
            {
              "capecId": "CAPEC-30",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T19:29:13.931Z",
            "orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
            "shortName": "illumos"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://illumos.org/issues/18117"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update your illumos distro to one that includes 18117\u0027s fix."
                }
              ],
              "value": "Update your illumos distro to one that includes 18117\u0027s fix."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T20:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-08T19:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SCTP needs to better-check INIT ACK chunk parameters",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eIn order of recommendation:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e1.) Hotpatch the faulty SCTP input path. \u0026nbsp;See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.\u003c/div\u003e"
                }
              ],
              "value": "In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path. \u00a0See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
        "assignerShortName": "illumos",
        "cveId": "CVE-2026-15422",
        "datePublished": "2026-07-16T19:29:13.931Z",
        "dateReserved": "2026-07-10T15:20:03.858Z",
        "dateUpdated": "2026-07-16T19:29:13.931Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15422 (GCVE-0-2026-15422)

    Vulnerability from cvelistv5 – Published: 2026-07-16 19:29 – Updated: 2026-07-16 19:29
    VLAI
    Title
    SCTP needs to better-check INIT ACK chunk parameters
    Summary
    The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    illumos illumos-gate Affected: a5407c02d5ed61b29481b9b71f1307d7ebec9e5c , < 53a3efdeff8e6745bbfb69c5360f94962fb79e75 (git)
    Create a notification for this product.
    OmniOS OmniOS Affected: r151058 , < r151058j (custom)
    Affected: r151056 , < r151056aj (custom)
    Affected: r151054 , < r151054bj (custom)
    Affected: any , < r151054 (custom)
    Create a notification for this product.
    Triton Data Center SmartOS Affected: any , < 202060709 (custom)
    Create a notification for this product.
    Date Public
    2026-07-08 18:00
    Credits
    Sourque Dan McDonald
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "kernel",
                "SCTP"
              ],
              "product": "illumos-gate",
              "programFiles": [
                "usr/src/uts/common/inet/sctp/sctp_hash.c"
              ],
              "repo": "https://github.com/illumos/illumos-gate",
              "vendor": "illumos",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "53a3efdeff8e6745bbfb69c5360f94962fb79e75",
                  "status": "affected",
                  "version": "a5407c02d5ed61b29481b9b71f1307d7ebec9e5c",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "OmniOS",
              "vendor": "OmniOS",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "r151058j",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151058j",
                  "status": "affected",
                  "version": "r151058",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151056aj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151056aj",
                  "status": "affected",
                  "version": "r151056",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151054bj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151054bj",
                  "status": "affected",
                  "version": "r151054",
                  "versionType": "custom"
                },
                {
                  "lessThan": "r151054",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "SmartOS",
              "vendor": "Triton Data Center",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "20260709",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "202060709",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sourque"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dan McDonald"
            }
          ],
          "datePublic": "2026-07-08T18:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cpre\u003eThe illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde.\u003c/pre\u003e"
                }
              ],
              "value": "The illumos SCTP inbound path performs association lookup for INIT ACK chunks without adequately validating the address parameters carried in the chunk. Since this lookup runs during packet classification (i.e. before SCTP integrity checks or IPsec policy are applied) a remote, unauthenticated attacker can send a crafted SCTP INIT ACK packet with malformed address parameters to cause an out-of-bounds access and kernel heap corruption, which may lead to remote code execution. The flaw has existed since 2010 (illumos-gate commit a5407c02), and affects any illumos distribution prior to illumos-gate commit 53a3efde."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            },
            {
              "capecId": "CAPEC-30",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "YES",
                "Recovery": "USER",
                "Safety": "PRESENT",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "UNREPORTED",
                "privilegesRequired": "NONE",
                "providerUrgency": "RED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "CONCENTRATED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "HIGH"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based buffer overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "CWE-787 Out-of-bounds write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T19:29:13.931Z",
            "orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
            "shortName": "illumos"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://illumos.topicbox.com/groups/developer/Ta1a8e2e1f7f928df/18117-sctp-needs-to-better-check-init-ack-chunk-parameters"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://illumos.org/issues/18117"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/illumos/illumos-gate/commit/53a3efdeff8e6745bbfb69c5360f94962fb79e75"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update your illumos distro to one that includes 18117\u0027s fix."
                }
              ],
              "value": "Update your illumos distro to one that includes 18117\u0027s fix."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T20:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-08T19:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "SCTP needs to better-check INIT ACK chunk parameters",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cdiv\u003eIn order of recommendation:\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e1.) Hotpatch the faulty SCTP input path. \u0026nbsp;See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack.\u003c/div\u003e"
                }
              ],
              "value": "In order of recommendation:\n\n\n\n\n1.) Hotpatch the faulty SCTP input path. \u00a0See the illumos issue for the hotpatch technique. If the function to patch does not exist, the issue has been fixed. If the output does not match the illumos issue\u0027s output, contact developers@lists.illumos.org.\n\n\n2.) Use ipfilter per-netstack or perimeter firewalls to drop SCTP packets. IMPORTANT NOTE: any entity inside an SCTP-dropping firewall perimeter can still attack."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
        "assignerShortName": "illumos",
        "cveId": "CVE-2026-15422",
        "datePublished": "2026-07-16T19:29:13.931Z",
        "dateReserved": "2026-07-10T15:20:03.858Z",
        "dateUpdated": "2026-07-16T19:29:13.931Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15449 (GCVE-0-2026-15449)

    Vulnerability from cvelistv5 – Published: 2026-07-16 19:27 – Updated: 2026-07-16 19:27
    VLAI
    Title
    TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption
    Summary
    A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    • CWE-122 - Heap-based Buffer Overflow
    Assigner
    Impacted products
    Vendor Product Version
    illumos illumos-gate Affected: eae72b5b807baa9116e64502cbb278edf15f3146 , < 6959feb5b430411a4809b06c53dcdb42fb525eac (git)
    Create a notification for this product.
    OmniOS OmniOS Affected: any , < r151054 (custom)
    Affected: r151058 , < r151058j (custom)
    Affected: r151056 , < r151056aj (custom)
    Affected: r151054 , < r151054bj (custom)
    Create a notification for this product.
    Triton Data Center SmartOS Affected: any , < 202060709 (custom)
    Create a notification for this product.
    Date Public
    2026-07-08 19:00
    Credits
    Nick Wilkens of Edgecast Cloud Dan McDonald
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "modules": [
                "kernel",
                "dld"
              ],
              "product": "illumos-gate",
              "programFiles": [
                "usr/src/uts/common/io/dld/dld_drv.c",
                "usr/src/uts/common/sys/dld.h"
              ],
              "repo": "https://github.com/illumos/illumos-gate",
              "vendor": "illumos",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6959feb5b430411a4809b06c53dcdb42fb525eac",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "6959feb5b430411a4809b06c53dcdb42fb525eac",
                  "status": "affected",
                  "version": "eae72b5b807baa9116e64502cbb278edf15f3146",
                  "versionType": "git"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "OmniOS",
              "vendor": "OmniOS",
              "versions": [
                {
                  "lessThan": "r151054",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151058j",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151058j",
                  "status": "affected",
                  "version": "r151058",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151056aj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151056aj",
                  "status": "affected",
                  "version": "r151056",
                  "versionType": "custom"
                },
                {
                  "changes": [
                    {
                      "at": "r151054bj",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "r151054bj",
                  "status": "affected",
                  "version": "r151054",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "affected",
              "product": "SmartOS",
              "vendor": "Triton Data Center",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "20260709",
                      "status": "unaffected"
                    }
                  ],
                  "lessThan": "202060709",
                  "status": "affected",
                  "version": "any",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nick Wilkens of Edgecast Cloud"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Dan McDonald"
            }
          ],
          "datePublic": "2026-07-08T19:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cpre\u003eA time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise.\u003c/pre\u003e"
                }
              ],
              "value": "A time-of-check to time-of-use (TOCTOU) flaw in the illumos data-link pseudo-driver (dld) affects handling of the DLDIOC_GETMACPROP and DLDIOC_SETMACPROP ioctls on /dev/dld. drv_ioc_prop_common() in usr/src/uts/common/io/dld/dld_drv.c copies the dld_ioc_macprop_t ioctl header in once to read its pr_valsize field, sizes and allocates a kernel heap buffer from that value, and then copies the full request in a second time from the same unprivileged user address. A concurrent thread can enlarge pr_valsize between the two copyins, so the second copyin and the subsequent property handling write beyond the end of the undersized allocation and corrupt the kernel heap. An unprivileged local user, including one confined to a non-global zone that owns a datalink, can trigger this to panic the system. The resulting kernel heap corruption may be usable for further compromise."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-100",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-100 Overflow Buffers"
                }
              ]
            },
            {
              "capecId": "CAPEC-30",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-30 Hijacking a Privileged Thread of Execution"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "LOW",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-122",
                  "description": "CWE-122 Heap-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T19:27:16.036Z",
            "orgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
            "shortName": "illumos"
          },
          "references": [
            {
              "tags": [
                "mailing-list"
              ],
              "url": "https://illumos.topicbox.com/groups/developer/T923147fae854a738-M03c29e1be33dac2a5e3d9535/18020-double-copyin-of-dldioc-consumers"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://illumos.org/issues/18020"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/illumos/illumos-gate/commit/6959feb5b430411a4809b06c53dcdb42fb525eac"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update your illumos distribution to one that includes the fix for issue 18020."
                }
              ],
              "value": "Update your illumos distribution to one that includes the fix for issue 18020."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-08T19:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "TOCTOU double copyin in illumos dld ioctl handling causes kernel heap corruption",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "No mitigation is available. The referenced notification includes a DTrace script that detects exploitation attempts."
                }
              ],
              "value": "No mitigation is available. The referenced notification includes a DTrace script that detects exploitation attempts."
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0ca53633-f0b5-4853-ba72-e0a2e62000d0",
        "assignerShortName": "illumos",
        "cveId": "CVE-2026-15449",
        "datePublished": "2026-07-16T19:27:16.036Z",
        "dateReserved": "2026-07-10T19:23:40.195Z",
        "dateUpdated": "2026-07-16T19:27:16.036Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }