Improper input validation in the FreeBSD kernel's NFS client-side implementation allows local unprivileged users to escalate their privileges and execute arbitrary code with root permissions. The function nfs_mount() in file src/sys/nfsclient/nfs_vfsops.c, which is reachable from the mount and nmount system calls, employs an insufficient input validation method for copying data passed in a structure of type nfs_args from userspace to kernel. Specifically, the file handle buffer to be mounted (args.fh) and its size (args.fhsize) are completely user-controllable. This vulnerability can cause a kernel stack overflow which leads to privilege escalation.
CVE Link
Exploit Platform
Exploit Type
Product Name