VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2005· Updated Jun 16, 2026

CVE-2005-4782

CVE-2005-4782

Description

NetBSD 2.0 before 2.0.4, 2.1 before 2.1.1, and 3, when the kernel is compiled with "options DIAGNOSTIC," allows local users to cause a denial of service (kernel assertion panic) via a negative linger time in the SO_LINGER socket option.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

6
  • NetBSD/NetBSD6 versions
    cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*+ 5 more
    • cpe:2.3:o:netbsd:netbsd:2.0:*:*:*:*:*:*:*
    • cpe:2.3:o:netbsd:netbsd:2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:o:netbsd:netbsd:2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:o:netbsd:netbsd:2.0.3:*:*:*:*:*:*:*
    • cpe:2.3:o:netbsd:netbsd:2.1:*:*:*:*:*:*:*
    • (no CPE)range: <2.0.4, <2.1.1, 3

Patches

Vulnerability mechanics

Root cause

"Missing bounds checking on the SO_LINGER linger time argument allows a negative value to reach a kernel assertion that panics."

Attack vector

A local unprivileged user calls `setsockopt()` with the `SO_LINGER` option and passes a negative linger time (e.g., a negative number of seconds) in the `struct linger`. Because the kernel does not validate that the linger time is non-negative, the negative value is multiplied by `hz` and passed to `tsleep()`. In a kernel compiled with `options DIAGNOSTIC`, the `KASSERT()` inside `callout_reset()` fires on the negative timeout, causing a kernel panic and a denial of service [ref_id=1].

Affected code

The vulnerability is in the kernel socket option handling, specifically in `sys/kern/uipc_socket.c` where `setsockopt()` processes the `SO_LINGER` option. The linger time argument was not bounds-checked before being passed to `tsleep()` and subsequently to `callout_reset()`, where a `KASSERT()` in a DIAGNOSTIC kernel panics on negative values [ref_id=1].

What the fix does

The advisory states that the fix adds proper bounds checking on the SO_LINGER time argument so that negative values or values that cause `seconds * hz` to overflow `INT_MAX` are rejected before reaching `tsleep()` or `callout_reset()`. Users can also work around the issue by removing the `options DIAGNOSTIC` kernel configuration option, which eliminates the `KASSERT()` panic, though this does not fix the underlying missing validation [ref_id=1].

Preconditions

  • configThe kernel must be compiled with 'options DIAGNOSTIC'
  • authAttacker must have local unprivileged access to the system
  • inputAttacker must be able to call setsockopt() with SO_LINGER on a socket

Reproduction

No public exploit or PoC is included in the bundle.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.