{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-29781", "tracking": { "current_release_date": "2026-03-27T08:38:44.258316Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-29781", "initial_release_date": "2026-03-05T00:39:57.215292Z", "revision_history": [ { "date": "2026-03-05T00:39:57.215292Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)." }, { "date": "2026-03-05T00:40:05.910452Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-05T06:12:36.276321Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-05T06:12:42.075951Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-07T15:38:45.968984Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-07T15:38:53.489618Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-07T16:25:03.712568Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-07T16:25:13.180864Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-08T14:49:18.066924Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-08T14:49:26.963406Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-03-09T17:02:46.303360Z", "number": "11", "summary": "References created (1)." }, { "date": "2026-03-09T17:02:48.048326Z", "number": "12", "summary": "NCSC Score updated." }, { "date": "2026-03-09T18:12:51.177607Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-09T18:39:23.686422Z", "number": "14", "summary": "Unknown change." }, { "date": "2026-03-11T22:25:03.625156Z", "number": "15", "summary": "CVSS created.| Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-03-11T22:25:08.813804Z", "number": "16", "summary": "NCSC Score updated." }, { "date": "2026-03-20T09:34:50.024703Z", "number": "17", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:34:53.760643Z", "number": "18", "summary": "NCSC Score updated." }, { "date": "2026-03-25T18:15:14.809209Z", "number": "19", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (1)." }, { "date": "2026-03-25T18:15:16.528378Z", "number": "20", "summary": "NCSC Score updated." }, { "date": "2026-03-25T19:03:17.253691Z", "number": "21", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (94).| Products created (3).| References created (3).| CWES updated (1)." }, { "date": "2026-03-27T08:08:18.070465Z", "number": "22", "summary": "NCSC Score updated." } ], "status": "interim", "version": "22" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=1.7.3", "product": { "name": "vers:unknown/<=1.7.3", "product_id": "CSAFPID-5800187", "product_identification_helper": { "cpe": "cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/git-7d47fe39", "product": { "name": "vers:unknown/git-7d47fe39", "product_id": "CSAFPID-3794399" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.1-alpha", "product": { "name": "vers:unknown/v0.0.1-alpha", "product_id": "CSAFPID-3794400" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.2-alpha", "product": { "name": "vers:unknown/v0.0.2-alpha", "product_id": "CSAFPID-3794401" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.3-alpha", "product": { "name": "vers:unknown/v0.0.3-alpha", "product_id": "CSAFPID-3794402" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.5-alpha", "product": { "name": "vers:unknown/v0.0.5-alpha", "product_id": "CSAFPID-3794403" } }, { "category": "product_version_range", "name": "vers:unknown/v0.0.6-alpha", "product": { "name": "vers:unknown/v0.0.6-alpha", "product_id": "CSAFPID-3794404" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.0-beta", "product": { "name": "vers:unknown/v1.0.0-beta", "product_id": "CSAFPID-3794405" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.2-beta", "product": { "name": "vers:unknown/v1.0.2-beta", "product_id": "CSAFPID-3794406" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.3-beta", "product": { "name": "vers:unknown/v1.0.3-beta", "product_id": "CSAFPID-3794407" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.6-beta", "product": { "name": "vers:unknown/v1.0.6-beta", "product_id": "CSAFPID-3794408" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.7-beta", "product": { "name": "vers:unknown/v1.0.7-beta", "product_id": "CSAFPID-3794409" } }, { "category": "product_version_range", "name": "vers:unknown/v1.0.8-beta", "product": { "name": "vers:unknown/v1.0.8-beta", "product_id": "CSAFPID-3794410" } }, { "category": "product_version_range", "name": "vers:unknown/v1.1.0", "product": { "name": "vers:unknown/v1.1.0", "product_id": "CSAFPID-3794411" } }, { "category": "product_version_range", "name": "vers:unknown/v1.1.1", "product": { "name": "vers:unknown/v1.1.1", "product_id": "CSAFPID-3794412" } }, { "category": "product_version_range", "name": "vers:unknown/v1.2.0", "product": { "name": "vers:unknown/v1.2.0", "product_id": "CSAFPID-3794413" } }, { "category": "product_version_range", "name": "vers:unknown/v1.2.1", "product": { "name": "vers:unknown/v1.2.1", "product_id": "CSAFPID-3794414" } }, { "category": "product_version_range", "name": "vers:unknown/v1.3.0", "product": { "name": "vers:unknown/v1.3.0", "product_id": "CSAFPID-3794415" } }, { "category": "product_version_range", "name": "vers:unknown/v1.3.1", "product": { "name": "vers:unknown/v1.3.1", "product_id": "CSAFPID-3794416" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.0", "product": { "name": "vers:unknown/v1.4.0", "product_id": "CSAFPID-3794417" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.1", "product": { "name": "vers:unknown/v1.4.1", "product_id": "CSAFPID-3794418" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.10", "product": { "name": "vers:unknown/v1.4.10", "product_id": "CSAFPID-3794419" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.11", "product": { "name": "vers:unknown/v1.4.11", "product_id": "CSAFPID-3794420" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.12", "product": { "name": "vers:unknown/v1.4.12", "product_id": "CSAFPID-3794421" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.13", "product": { "name": "vers:unknown/v1.4.13", "product_id": "CSAFPID-3794422" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.14", "product": { "name": "vers:unknown/v1.4.14", "product_id": "CSAFPID-3794423" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.15", "product": { "name": "vers:unknown/v1.4.15", "product_id": "CSAFPID-3794424" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.16", "product": { "name": "vers:unknown/v1.4.16", "product_id": "CSAFPID-3794425" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.17", "product": { "name": "vers:unknown/v1.4.17", "product_id": "CSAFPID-3794426" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.18", "product": { "name": "vers:unknown/v1.4.18", "product_id": "CSAFPID-3794427" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.19", "product": { "name": "vers:unknown/v1.4.19", "product_id": "CSAFPID-3794428" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.2", "product": { "name": "vers:unknown/v1.4.2", "product_id": "CSAFPID-3794429" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.20", "product": { "name": "vers:unknown/v1.4.20", "product_id": "CSAFPID-3794430" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.21", "product": { "name": "vers:unknown/v1.4.21", "product_id": "CSAFPID-3794431" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.22", "product": { "name": "vers:unknown/v1.4.22", "product_id": "CSAFPID-3794432" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.3", "product": { "name": "vers:unknown/v1.4.3", "product_id": "CSAFPID-3794433" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.4", "product": { "name": "vers:unknown/v1.4.4", "product_id": "CSAFPID-3794434" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.5", "product": { "name": "vers:unknown/v1.4.5", "product_id": "CSAFPID-3794435" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.6", "product": { "name": "vers:unknown/v1.4.6", "product_id": "CSAFPID-3794436" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.7", "product": { "name": "vers:unknown/v1.4.7", "product_id": "CSAFPID-3794437" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.8", "product": { "name": "vers:unknown/v1.4.8", "product_id": "CSAFPID-3794438" } }, { "category": "product_version_range", "name": "vers:unknown/v1.4.9", "product": { "name": "vers:unknown/v1.4.9", "product_id": "CSAFPID-3794439" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.0", "product": { "name": "vers:unknown/v1.5.0", "product_id": "CSAFPID-3794440" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.1", "product": { "name": "vers:unknown/v1.5.1", "product_id": "CSAFPID-3794441" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.10", "product": { "name": "vers:unknown/v1.5.10", "product_id": "CSAFPID-3794442" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.11", "product": { "name": "vers:unknown/v1.5.11", "product_id": "CSAFPID-3794443" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.12", "product": { "name": "vers:unknown/v1.5.12", "product_id": "CSAFPID-3794444" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.13", "product": { "name": "vers:unknown/v1.5.13", "product_id": "CSAFPID-3794445" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.14", "product": { "name": "vers:unknown/v1.5.14", "product_id": "CSAFPID-3794446" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.15", "product": { "name": "vers:unknown/v1.5.15", "product_id": "CSAFPID-3794447" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.16", "product": { "name": "vers:unknown/v1.5.16", "product_id": "CSAFPID-3794448" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.17", "product": { "name": "vers:unknown/v1.5.17", "product_id": "CSAFPID-3794449" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.18", "product": { "name": "vers:unknown/v1.5.18", "product_id": "CSAFPID-3794450" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.19", "product": { "name": "vers:unknown/v1.5.19", "product_id": "CSAFPID-3794451" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.2", "product": { "name": "vers:unknown/v1.5.2", "product_id": "CSAFPID-3794452" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.20", "product": { "name": "vers:unknown/v1.5.20", "product_id": "CSAFPID-3794453" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.21", "product": { "name": "vers:unknown/v1.5.21", "product_id": "CSAFPID-3794454" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.22", "product": { "name": "vers:unknown/v1.5.22", "product_id": "CSAFPID-3794455" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.23", "product": { "name": "vers:unknown/v1.5.23", "product_id": "CSAFPID-3794456" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.24", "product": { "name": "vers:unknown/v1.5.24", "product_id": "CSAFPID-3794457" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.25", "product": { "name": "vers:unknown/v1.5.25", "product_id": "CSAFPID-3794458" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.26", "product": { "name": "vers:unknown/v1.5.26", "product_id": "CSAFPID-3794459" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.27", "product": { "name": "vers:unknown/v1.5.27", "product_id": "CSAFPID-3794460" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.28", "product": { "name": "vers:unknown/v1.5.28", "product_id": "CSAFPID-3794461" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.29", "product": { "name": "vers:unknown/v1.5.29", "product_id": "CSAFPID-3794462" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.3", "product": { "name": "vers:unknown/v1.5.3", "product_id": "CSAFPID-3794463" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.30", "product": { "name": "vers:unknown/v1.5.30", "product_id": "CSAFPID-3794464" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.31", "product": { "name": "vers:unknown/v1.5.31", "product_id": "CSAFPID-3794465" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.32", "product": { "name": "vers:unknown/v1.5.32", "product_id": "CSAFPID-3794466" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.33", "product": { "name": "vers:unknown/v1.5.33", "product_id": "CSAFPID-3794467" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.34", "product": { "name": "vers:unknown/v1.5.34", "product_id": "CSAFPID-3794468" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.35", "product": { "name": "vers:unknown/v1.5.35", "product_id": "CSAFPID-3794469" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.36", "product": { "name": "vers:unknown/v1.5.36", "product_id": "CSAFPID-3794470" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.37", "product": { "name": "vers:unknown/v1.5.37", "product_id": "CSAFPID-3794471" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.38", "product": { "name": "vers:unknown/v1.5.38", "product_id": "CSAFPID-3794472" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.39", "product": { "name": "vers:unknown/v1.5.39", "product_id": "CSAFPID-3794473" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.4", "product": { "name": "vers:unknown/v1.5.4", "product_id": "CSAFPID-3794474" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.5", "product": { "name": "vers:unknown/v1.5.5", "product_id": "CSAFPID-3794478" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.6", "product": { "name": "vers:unknown/v1.5.6", "product_id": "CSAFPID-3794479" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.7", "product": { "name": "vers:unknown/v1.5.7", "product_id": "CSAFPID-3794480" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.8", "product": { "name": "vers:unknown/v1.5.8", "product_id": "CSAFPID-3794481" } }, { "category": "product_version_range", "name": "vers:unknown/v1.5.9", "product": { "name": "vers:unknown/v1.5.9", "product_id": "CSAFPID-3794482" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.0", "product": { "name": "vers:unknown/v1.6.0", "product_id": "CSAFPID-5577729" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.1", "product": { "name": "vers:unknown/v1.6.1", "product_id": "CSAFPID-5577730" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.10", "product": { "name": "vers:unknown/v1.6.10", "product_id": "CSAFPID-5577731" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.11", "product": { "name": "vers:unknown/v1.6.11", "product_id": "CSAFPID-5587663" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.2", "product": { "name": "vers:unknown/v1.6.2", "product_id": "CSAFPID-5577732" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.3", "product": { "name": "vers:unknown/v1.6.3", "product_id": "CSAFPID-5577733" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.4", "product": { "name": "vers:unknown/v1.6.4", "product_id": "CSAFPID-5577734" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.5", "product": { "name": "vers:unknown/v1.6.5", "product_id": "CSAFPID-5577735" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.6", "product": { "name": "vers:unknown/v1.6.6", "product_id": "CSAFPID-5577736" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.7", "product": { "name": "vers:unknown/v1.6.7", "product_id": "CSAFPID-5577737" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.8", "product": { "name": "vers:unknown/v1.6.8", "product_id": "CSAFPID-5577738" } }, { "category": "product_version_range", "name": "vers:unknown/v1.6.9", "product": { "name": "vers:unknown/v1.6.9", "product_id": "CSAFPID-5577739" } }, { "category": "product_version_range", "name": "vers:unknown/v1.7.0", "product": { "name": "vers:unknown/v1.7.0", "product_id": "CSAFPID-5587664" } }, { "category": "product_version_range", "name": "vers:unknown/v1.7.1", "product": { "name": "vers:unknown/v1.7.1", "product_id": "CSAFPID-5909029" } }, { "category": "product_version_range", "name": "vers:unknown/v1.7.2", "product": { "name": "vers:unknown/v1.7.2", "product_id": "CSAFPID-5909030" } }, { "category": "product_version_range", "name": "vers:unknown/v1.7.3", "product": { "name": "vers:unknown/v1.7.3", "product_id": "CSAFPID-5909031" } } ], "category": "product_name", "name": "sliver" } ], "category": "vendor", "name": "Bishop Fox" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=1.7.3", "product": { "name": "vers:unknown/<=1.7.3", "product_id": "CSAFPID-5769858" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<=1.7.3", "product": { "name": "vers:unknown/>=0|<=1.7.3", "product_id": "CSAFPID-5760878" } } ], "category": "product_name", "name": "sliver" } ], "category": "vendor", "name": "BishopFox" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-29781", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "notes": [ { "category": "description", "text": "## 1. Executive Summary\nA vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations.\n\n## 2. Vulnerability Details\n### 2.0 Technical Workflow: From Envelope to Handler\nSliver encapsulates all C2 traffic in a generic `sliverpb.Envelope`, which acts as a routing wrapper. When the server receives an Envelope with `Type = 53` (MsgBeaconRegister), the internal router strips the envelope and passes the raw `Data` bytes directly to the vulnerable `handlers.beaconRegisterHandler(implantConn, data)`. This flow is consistent across all transports, but the **error handling** of the transport itself determines the final impact.\n\n### 2.1 BeaconRegister Nil-Pointer Dereference\n- **Vulnerability Type:** Remote Denial of Service via Nil-Pointer Dereference ([CWE-476](https://cwe.mitre.org/data/definitions/476.html))\n- **Component:** `server/handlers/beacons.go`\n- **Affected Functions:** [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L110).\n- **Severity:** Critical\n- **Complexity:** Low\n\n#### Root Cause Analysis\nThe core of the vulnerability lies in the architectural handling of Protobuf messages within the Go runtime. In `proto3`, all fields are optional by design. When a message contains a nested sub-message (like `Register` inside `BeaconRegister`), the Go Protobuf implementation represents this sub-message as a **pointer**.\n\nIn `server/handlers/beacons.go`, the server unmarshals the incoming data without subsequent validation of its nested structures:\n```Go\nfunc beaconRegisterHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {\n // ...\n beaconReg := &sliverpb.BeaconRegister{}\n err := proto.Unmarshal(data, beaconReg)\n\t// Successful even if 'Register' sub-message is omitted\n \n // VULNERABILITY: beaconReg.Register is nil if omitted by sender.\n // Accessing any property of a nil pointer triggers an immediate runtime panic.\n beaconRegUUID, _ := uuid.FromString(beaconReg.Register.Uuid) \n // ...\n}\n```\n\nIf an attacker constructs a `BeaconRegister` message and deliberately omits the `Register` field, `proto.Unmarshal` parses the stream without error but leaves the `Register` pointer as `nil`. The subsequent attempt to access `beaconReg.Register.Uuid` triggers a **Nil-Pointer Dereference**.\n### 2.2 Expanded Inventory: System-Wide Nil-Pointer Vulnerabilities\nBeyond the beacon registration, the investigation revealed a systemic pattern of missing nil-checks across various handlers. These vulnerabilities follow the same root cause: immediate dereferencing of nested Protobuf fields post-unmarshalling.\n\n#### 2.2.1 Remote Implant Vectors (Unauthenticated)\nThese handlers process data from implants. If an implant binary is captured, these can be triggered to crash the server:\n- **Reverse Tunneling (`server/handlers/sessions.go`):** The `createReverseTunnelHandler` panics when `req.Rportfwd` is omitted.\n- **SOCKS Proxying (`server/handlers/sessions.go`):** The `socksDataHandler` fails when the `SocksData` sub-message is absent.\n- **Pivot/Peer Communication (`server/handlers/pivot.go`):** Functions `serverKeyExchange` and `peersToString` dereference `peerEnvelope.Peers` without checking if the peer list is empty or nil.\n\n#### 2.2.2 Authenticated Operator Vectors (gRPC Layer)\nThe Sliver RPC server (`server/rpc/`) is also susceptible. While these require an authenticated operator, they represent a significant stability risk where a malformed request from a custom client or automated script can bring down the entire C2 infrastructure.\n\n| Function | File | Vulnerable Pattern |\n| ------------------- | ------------------------------- | ------------------------------------------------------- |\n| getTimeout | server/rpc/rpc.go | `req.GetRequest().Timeout` |\n| getError | server/rpc/rpc.go | `resp.GetResponse().Err` |\n| Portfwd | server/rpc/rpc-portfwd.go | `req.Request.SessionID` |\n| GetSystem | server/rpc/rpc-priv.go | `req.GetRequest().SessionID` |\n| GetPrivileges | server/rpc/rpc-priv.go | `req.Request.SessionID` |\n| NetConnPivot | server/rpc/rpc-pivot.go | `req.Request.SessionID` |\n| PivotListeners | server/rpc/rpc-pivot.go | `req.Request.SessionID` |\n| SocksStart | server/rpc/rpc-socks.go | `req.Request.SessionID` |\n| SocksStop | server/rpc/rpc-socks.go | `req.Request.SessionID` |\n| RPortfwd | server/rpc/rpc-rportfwd.go | `req.Request.SessionID` |\n| Shell | server/rpc/rpc-shell.go | `req.Request.SessionID` |\n| ShellResize | server/rpc/rpc-shell.go | `req.Request.SessionID` |\n| BackdoorImplant | server/rpc/rpc-backdoor.go | `req.Request.SessionID`, `req.Request.Timeout` |\n| CrackstationTrigger | server/rpc/rpc-crackstations.go | `statusUpdate.HostUUID` (after unmarshal of `req.Data`) |\n| Tasks | server/rpc/rpc-tasks.go | `req.Request.SessionID` |\n| ImplantReconfig | server/rpc/rpc-reconfig.go | `req.Request.SessionID` |\n| MsfInject | server/rpc/rpc-msf.go | `req.Request.SessionID` |\n| Hijack | server/rpc/rpc-hijack.go | `req.Request.SessionID` |\n\n---\n\n## 3. Proof of Concept & Attack Feasibility\n### 3.1 Attack Feasibility: Credential Extraction\nThe exploit requires valid implant credentials, which are inherently embedded in Sliver's generated binaries. Since these binaries are often deployed to untrusted or compromised environments, credential recovery is a high-probability event. During testing, it was confirmed that an attacker can obtain the required mTLS certificates and Age Secret Keys through:\n- **Static Extraction (Trivial):** By default, running the `strings` utility on the implant binary or dumping the embedded configuration block is sufficient to recover the private keys.\n- **Memory Forensics:** If an implant is captured during execution, the configuration structures can be carved directly from the process memory, bypassing most disk-level obfuscation.\n\n### 3.2 Exploit Execution Flow\nThe provided exploit [mtls_poc.go](https://github.com/skoveit/Sliver-Nil-Pointer-DoS-PoC/blob/main/mtls_poc.go) or [mtls_poc.go](https://gist.github.com/skoveit/a5e52b5c9197fc53e2605a861cd8aa33) demonstrates how a single captured implant can be weaponized into a \"Kill Switch\" for the entire C2 infrastructure. The attack follows these steps:\n1. **Authentication:** Establishes a valid mTLS connection using the extracted certificates.\n2. **Multiplexing:** Negotiates a Yamux stream, bypassing standard network-level protections.\n3. **Payload Construction:** Builds a `BeaconRegister` Protobuf message where the `ID` is defined, but the critical `Register` sub-message is explicitly omitted (set to `nil`).\n4. **Envelope Signing:** Deterministically signs the malicious envelope using the recovered Age private key to ensure it is accepted by the server.\n5. **Trigger:** Sends the malformed payload. Upon receipt, the server's handler attempts to dereference the missing `Register` pointer, leading to an immediate **Full Server DoS**.\n\n## 4. Transport-Specific Response & Recovery Analysis\nThe impact of this panic varies significantly depending on the C2 transport used by the implant. While the nil-pointer dereference happens in the shared handler logic, the transport layer determines whether this results in a localized request failure or a total server termination.\n\n### 4.1 HTTP/S Transport\nHTTP-based beacons do **not** crash the entire Sliver server. This is because Sliver utilizes the standard Go `net/http` library.\n\n**Code Reference ([server/c2/http.go](https://github.com/BishopFox/sliver/blob/master/server/c2/http.go)):**\n```go\nserver.HTTPServer = &http.Server{\n Addr: fmt.Sprintf(\"%s:%d\", req.Host, req.Port),\n Handler: server.router(),\n // ...\n}\n// ...\ngo server.HTTPServer.ListenAndServe()\n```\n\nBy design, `net/http`'s `ServeHTTP` implementation wraps every connection in a `defer recover()` block. When the [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L109) panics, the standard library catches it, logs the trace, and simply closes that specific TCP connection. The rest of the server remains unaffected.\n\n### 4.2 mTLS & WireGuard Transports (Full DoS)\nBoth mTLS and WireGuard utilize the `yamux` multiplexer to handle multiple streams over a single connection. Unlike the HTTP server, Sliver manually manages these goroutines without a global recovery mechanism.\n\n**mTLS [server/c2/mtls.go](https://github.com/BishopFox/sliver/blob/master/server/c2/mtls.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n mtlsLog.Debugf(\"Received new mtls message type %d, data: %s\", envelope.Type, envelope.Data)\n go func(envelope *sliverpb.Envelope) {\n respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE\n if respEnvelope != nil {\n implantConn.Send <- respEnvelope\n }\n }(envelope)\n}\n```\n\n**WireGuard [server/c2/wireguard.go](https://github.com/BishopFox/sliver/blob/master/server/c2/wireguard.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n go func(envelope *sliverpb.Envelope) {\n respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE\n // ...\n }(envelope)\n}\n```\n\nBecause these handlers are invoked in a **raw goroutine** without a `recover()` block, the panic propagates to the top of the stack, causing the entire Go runtime to exit (SIGSEGV). This kills the `sliver-server` process immediately.\n\n### 4.3 DNS Transport (Full DoS)\nSimilar to mTLS, the DNS transport reassembles messages and then forwards them to handlers in unsynchronized goroutines.\n\n**DNS [server/c2/dns.go](https://github.com/BishopFox/sliver/blob/master/server/c2/dns.go):**\n```go\n// Line 833: Forwarding the completed envelope\ngo dnsSession.ForwardCompletedEnvelope(msg.ID, pending)\n// ...\n// Inside ForwardCompletedEnvelope:\nif handler, ok := handlers[envelope.Type]; ok {\n respEnvelope := handler(s.ImplantConn, envelope.Data) // <--- PANIC HERE\n // ...\n}\n```\n\nThis asynchronous call also lacks a `recover()` block, making DNS sessions equally capable of crashing the entire server.\n\n### 4.4 Vulnerability Matrix by Protocol\n\n| Protocol | Uses `recover()`? | Impact of Panic | Server Crash? |\n| :--- | :---: | :--- | :---: |\n| **HTTP / HTTPS** | Yes (Built-in) | Request Terminated | No |\n| **mTLS** | No | Process Termination | **Yes** |\n| **WireGuard** | No | Process Termination | **Yes** |\n| **DNS** | No | Process Termination | **Yes** |\n\n\n## 5. Impact Analysis\nThe impact of this vulnerability is **Total Operational Paralysis**. Because the panic causes the entire Go runtime to terminate:\n- **Global Disconnection:** Every active session and beacon across all transports (including the resilient HTTP transport) is instantly terminated.\n- **Persistence Risk:** Implants waiting for their next check-in will find the server offline. Repeated failures may trigger internal implant \"kill-date\" or cleanup logic, or alert defensive monitoring to a failure in the C2 channel.\n- **Operator Eviction:** All active operators are evicted from the gRPC interface, losing all unsaved state, active shell buffers, and real-time monitoring streams.\n- **Operational Downtime:** Restoration requires manual intervention to restart the service and potentially re-establish complex pivot chains, creating a significant \"Recovery Time Objective\" (RTO) penalty.\n## 6. Countermeasures & Remediation\nAddressing these vulnerabilities requires a systemic shift towards \"fail-safe\" architecture. The root cause is a combination of unprotected Protobuf pointer dereferences and a lack of isolation in asynchronous transport layers.\n\n### 6.1 Tier 1: Tactical Defensive Programming\nThe immediate priority is to implement strict validation for all nested Protobuf fields. In Go, omitted sub-messages are `nil` after unmarshaling; handlers must assume any pointer-typed field from an implant is potentially `nil`.\n\n#### Implementation Pattern: Validation-First Handlers\nHandlers should validate the entire message structure before proceeding to business logic.\n\n```go\nbeaconReg := &sliverpb.BeaconRegister{}\nif err := proto.Unmarshal(data, beaconReg); err != nil {\n\treturn nil // Drop malformed wire data\n}\n\n// MANDATORY VALIDATION BLOCK\nif beaconReg.Register == nil {\n\tbeaconHandlerLog.Errorf(\"Nil Register message from %s\", core.GetRemoteAddr(implantConn))\n\treturn nil\n}\n\n// Deep access is now safe\nid := beaconReg.Register.Uuid\n// ...\n```\n\n### 6.2 Tier 2: Infrastructure Hardening (RPC Global Accessors)\nTo protect the gRPC/Operator interface, the server should deprecate direct access to the [Request](https://github.com/BishopFox/sliver/blob/master/server/core/sessions.go#L148-L185) metadata field in favor of safe accessors that handle missing metadata gracefully.\n#### Recommended Helper Update \n```go\n// server/rpc/rpc.go\n// getRequestSafe returns the Request metadata or an error, preventing panics\nfunc getRequestSafe(req GenericRequest) (*commonpb.Request, error) {\n r := req.GetRequest()\n if r == nil {\n return nil, status.Error(codes.InvalidArgument, \"missing mandatory 'Request' metadata\")\n }\n return r, nil\n}\n```\n### 6.3 Tier 3: Strategic Architectural Resilience (Panic Recovery Middleware)\nTo achieve parity with the resilience of the HTTP transport, all multiplexed transports (mTLS, WireGuard, DNS) must implement a supervisor pattern using Go's `recover()` mechanism.\n\n#### Implementation: Protected Handler Invoke\nAll handlers should be executed inside a \"Safe Wrapper\" that catches runtime panics, logs the failure, and terminates only the affected stream without crashing the entire C2 daemon.\n\n```go\nfunc SafeInvoke(handler ServerHandler, conn *core.ImplantConnection, data []byte) {\n defer func() {\n if r := recover(); r != nil {\n log.Errorf(\"RECOVERY: Intercepted panic in handler: %v\\n%s\", r, debug.Stack())\n // The daemon continues running; only this specific action failed.\n }\n }()\n \n response := handler(conn, data)\n if response != nil {\n conn.Send <- response\n }\n}\n```\n\n### 6.4 Tier 4: Long-Term Assurance\nThe framework should move away from manual nil-checking towards automated schema validation:\n- **`protoc-gen-validate` (PGV)**: Annotate [.proto](https://github.com/BishopFox/sliver/blob/master/protobuf/dnspb/dns.proto) files with `(validate.rules).message.required = true` and generate automatic validation code.\n- **Static Analysis CI**: Integrate custom linters to detect unprotected pointer dereferences of Protobuf types during the PR process.\n\nBy adopting this multi-tiered approach, Sliver evolves from a \"fail-deadly\" design to a robust, enterprise-grade C2 architecture.", "title": "github - https://github.com/advisories/GHSA-hx52-cv84-jr5v" }, { "category": "description", "text": "## 1. Executive Summary\nA vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations.\n\n## 2. Vulnerability Details\n### 2.0 Technical Workflow: From Envelope to Handler\nSliver encapsulates all C2 traffic in a generic `sliverpb.Envelope`, which acts as a routing wrapper. When the server receives an Envelope with `Type = 53` (MsgBeaconRegister), the internal router strips the envelope and passes the raw `Data` bytes directly to the vulnerable `handlers.beaconRegisterHandler(implantConn, data)`. This flow is consistent across all transports, but the **error handling** of the transport itself determines the final impact.\n\n### 2.1 BeaconRegister Nil-Pointer Dereference\n- **Vulnerability Type:** Remote Denial of Service via Nil-Pointer Dereference ([CWE-476](https://cwe.mitre.org/data/definitions/476.html))\n- **Component:** `server/handlers/beacons.go`\n- **Affected Functions:** [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L110).\n- **Severity:** Critical\n- **Complexity:** Low\n\n#### Root Cause Analysis\nThe core of the vulnerability lies in the architectural handling of Protobuf messages within the Go runtime. In `proto3`, all fields are optional by design. When a message contains a nested sub-message (like `Register` inside `BeaconRegister`), the Go Protobuf implementation represents this sub-message as a **pointer**.\n\nIn `server/handlers/beacons.go`, the server unmarshals the incoming data without subsequent validation of its nested structures:\n```Go\nfunc beaconRegisterHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {\n // ...\n beaconReg := &sliverpb.BeaconRegister{}\n err := proto.Unmarshal(data, beaconReg)\n\t// Successful even if 'Register' sub-message is omitted\n \n // VULNERABILITY: beaconReg.Register is nil if omitted by sender.\n // Accessing any property of a nil pointer triggers an immediate runtime panic.\n beaconRegUUID, _ := uuid.FromString(beaconReg.Register.Uuid) \n // ...\n}\n```\n\nIf an attacker constructs a `BeaconRegister` message and deliberately omits the `Register` field, `proto.Unmarshal` parses the stream without error but leaves the `Register` pointer as `nil`. The subsequent attempt to access `beaconReg.Register.Uuid` triggers a **Nil-Pointer Dereference**.\n### 2.2 Expanded Inventory: System-Wide Nil-Pointer Vulnerabilities\nBeyond the beacon registration, the investigation revealed a systemic pattern of missing nil-checks across various handlers. These vulnerabilities follow the same root cause: immediate dereferencing of nested Protobuf fields post-unmarshalling.\n\n#### 2.2.1 Remote Implant Vectors (Unauthenticated)\nThese handlers process data from implants. If an implant binary is captured, these can be triggered to crash the server:\n- **Reverse Tunneling (`server/handlers/sessions.go`):** The `createReverseTunnelHandler` panics when `req.Rportfwd` is omitted.\n- **SOCKS Proxying (`server/handlers/sessions.go`):** The `socksDataHandler` fails when the `SocksData` sub-message is absent.\n- **Pivot/Peer Communication (`server/handlers/pivot.go`):** Functions `serverKeyExchange` and `peersToString` dereference `peerEnvelope.Peers` without checking if the peer list is empty or nil.\n\n#### 2.2.2 Authenticated Operator Vectors (gRPC Layer)\nThe Sliver RPC server (`server/rpc/`) is also susceptible. While these require an authenticated operator, they represent a significant stability risk where a malformed request from a custom client or automated script can bring down the entire C2 infrastructure.\n\n| Function | File | Vulnerable Pattern |\n| ------------------- | ------------------------------- | ------------------------------------------------------- |\n| getTimeout | server/rpc/rpc.go | `req.GetRequest().Timeout` |\n| getError | server/rpc/rpc.go | `resp.GetResponse().Err` |\n| Portfwd | server/rpc/rpc-portfwd.go | `req.Request.SessionID` |\n| GetSystem | server/rpc/rpc-priv.go | `req.GetRequest().SessionID` |\n| GetPrivileges | server/rpc/rpc-priv.go | `req.Request.SessionID` |\n| NetConnPivot | server/rpc/rpc-pivot.go | `req.Request.SessionID` |\n| PivotListeners | server/rpc/rpc-pivot.go | `req.Request.SessionID` |\n| SocksStart | server/rpc/rpc-socks.go | `req.Request.SessionID` |\n| SocksStop | server/rpc/rpc-socks.go | `req.Request.SessionID` |\n| RPortfwd | server/rpc/rpc-rportfwd.go | `req.Request.SessionID` |\n| Shell | server/rpc/rpc-shell.go | `req.Request.SessionID` |\n| ShellResize | server/rpc/rpc-shell.go | `req.Request.SessionID` |\n| BackdoorImplant | server/rpc/rpc-backdoor.go | `req.Request.SessionID`, `req.Request.Timeout` |\n| CrackstationTrigger | server/rpc/rpc-crackstations.go | `statusUpdate.HostUUID` (after unmarshal of `req.Data`) |\n| Tasks | server/rpc/rpc-tasks.go | `req.Request.SessionID` |\n| ImplantReconfig | server/rpc/rpc-reconfig.go | `req.Request.SessionID` |\n| MsfInject | server/rpc/rpc-msf.go | `req.Request.SessionID` |\n| Hijack | server/rpc/rpc-hijack.go | `req.Request.SessionID` |\n\n---\n\n## 3. Proof of Concept & Attack Feasibility\n### 3.1 Attack Feasibility: Credential Extraction\nThe exploit requires valid implant credentials, which are inherently embedded in Sliver's generated binaries. Since these binaries are often deployed to untrusted or compromised environments, credential recovery is a high-probability event. During testing, it was confirmed that an attacker can obtain the required mTLS certificates and Age Secret Keys through:\n- **Static Extraction (Trivial):** By default, running the `strings` utility on the implant binary or dumping the embedded configuration block is sufficient to recover the private keys.\n- **Memory Forensics:** If an implant is captured during execution, the configuration structures can be carved directly from the process memory, bypassing most disk-level obfuscation.\n\n### 3.2 Exploit Execution Flow\nThe provided exploit [mtls_poc.go](https://github.com/skoveit/Sliver-Nil-Pointer-DoS-PoC/blob/main/mtls_poc.go) or [mtls_poc.go](https://gist.github.com/skoveit/a5e52b5c9197fc53e2605a861cd8aa33) demonstrates how a single captured implant can be weaponized into a \"Kill Switch\" for the entire C2 infrastructure. The attack follows these steps:\n1. **Authentication:** Establishes a valid mTLS connection using the extracted certificates.\n2. **Multiplexing:** Negotiates a Yamux stream, bypassing standard network-level protections.\n3. **Payload Construction:** Builds a `BeaconRegister` Protobuf message where the `ID` is defined, but the critical `Register` sub-message is explicitly omitted (set to `nil`).\n4. **Envelope Signing:** Deterministically signs the malicious envelope using the recovered Age private key to ensure it is accepted by the server.\n5. **Trigger:** Sends the malformed payload. Upon receipt, the server's handler attempts to dereference the missing `Register` pointer, leading to an immediate **Full Server DoS**.\n\n## 4. Transport-Specific Response & Recovery Analysis\nThe impact of this panic varies significantly depending on the C2 transport used by the implant. While the nil-pointer dereference happens in the shared handler logic, the transport layer determines whether this results in a localized request failure or a total server termination.\n\n### 4.1 HTTP/S Transport\nHTTP-based beacons do **not** crash the entire Sliver server. This is because Sliver utilizes the standard Go `net/http` library.\n\n**Code Reference ([server/c2/http.go](https://github.com/BishopFox/sliver/blob/master/server/c2/http.go)):**\n```go\nserver.HTTPServer = &http.Server{\n Addr: fmt.Sprintf(\"%s:%d\", req.Host, req.Port),\n Handler: server.router(),\n // ...\n}\n// ...\ngo server.HTTPServer.ListenAndServe()\n```\n\nBy design, `net/http`'s `ServeHTTP` implementation wraps every connection in a `defer recover()` block. When the [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L109) panics, the standard library catches it, logs the trace, and simply closes that specific TCP connection. The rest of the server remains unaffected.\n\n### 4.2 mTLS & WireGuard Transports (Full DoS)\nBoth mTLS and WireGuard utilize the `yamux` multiplexer to handle multiple streams over a single connection. Unlike the HTTP server, Sliver manually manages these goroutines without a global recovery mechanism.\n\n**mTLS [server/c2/mtls.go](https://github.com/BishopFox/sliver/blob/master/server/c2/mtls.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n mtlsLog.Debugf(\"Received new mtls message type %d, data: %s\", envelope.Type, envelope.Data)\n go func(envelope *sliverpb.Envelope) {\n respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE\n if respEnvelope != nil {\n implantConn.Send <- respEnvelope\n }\n }(envelope)\n}\n```\n\n**WireGuard [server/c2/wireguard.go](https://github.com/BishopFox/sliver/blob/master/server/c2/wireguard.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n go func(envelope *sliverpb.Envelope) {\n respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE\n // ...\n }(envelope)\n}\n```\n\nBecause these handlers are invoked in a **raw goroutine** without a `recover()` block, the panic propagates to the top of the stack, causing the entire Go runtime to exit (SIGSEGV). This kills the `sliver-server` process immediately.\n\n### 4.3 DNS Transport (Full DoS)\nSimilar to mTLS, the DNS transport reassembles messages and then forwards them to handlers in unsynchronized goroutines.\n\n**DNS [server/c2/dns.go](https://github.com/BishopFox/sliver/blob/master/server/c2/dns.go):**\n```go\n// Line 833: Forwarding the completed envelope\ngo dnsSession.ForwardCompletedEnvelope(msg.ID, pending)\n// ...\n// Inside ForwardCompletedEnvelope:\nif handler, ok := handlers[envelope.Type]; ok {\n respEnvelope := handler(s.ImplantConn, envelope.Data) // <--- PANIC HERE\n // ...\n}\n```\n\nThis asynchronous call also lacks a `recover()` block, making DNS sessions equally capable of crashing the entire server.\n\n### 4.4 Vulnerability Matrix by Protocol\n\n| Protocol | Uses `recover()`? | Impact of Panic | Server Crash? |\n| :--- | :---: | :--- | :---: |\n| **HTTP / HTTPS** | Yes (Built-in) | Request Terminated | No |\n| **mTLS** | No | Process Termination | **Yes** |\n| **WireGuard** | No | Process Termination | **Yes** |\n| **DNS** | No | Process Termination | **Yes** |\n\n\n## 5. Impact Analysis\nThe impact of this vulnerability is **Total Operational Paralysis**. Because the panic causes the entire Go runtime to terminate:\n- **Global Disconnection:** Every active session and beacon across all transports (including the resilient HTTP transport) is instantly terminated.\n- **Persistence Risk:** Implants waiting for their next check-in will find the server offline. Repeated failures may trigger internal implant \"kill-date\" or cleanup logic, or alert defensive monitoring to a failure in the C2 channel.\n- **Operator Eviction:** All active operators are evicted from the gRPC interface, losing all unsaved state, active shell buffers, and real-time monitoring streams.\n- **Operational Downtime:** Restoration requires manual intervention to restart the service and potentially re-establish complex pivot chains, creating a significant \"Recovery Time Objective\" (RTO) penalty.\n## 6. Countermeasures & Remediation\nAddressing these vulnerabilities requires a systemic shift towards \"fail-safe\" architecture. The root cause is a combination of unprotected Protobuf pointer dereferences and a lack of isolation in asynchronous transport layers.\n\n### 6.1 Tier 1: Tactical Defensive Programming\nThe immediate priority is to implement strict validation for all nested Protobuf fields. In Go, omitted sub-messages are `nil` after unmarshaling; handlers must assume any pointer-typed field from an implant is potentially `nil`.\n\n#### Implementation Pattern: Validation-First Handlers\nHandlers should validate the entire message structure before proceeding to business logic.\n\n```go\nbeaconReg := &sliverpb.BeaconRegister{}\nif err := proto.Unmarshal(data, beaconReg); err != nil {\n\treturn nil // Drop malformed wire data\n}\n\n// MANDATORY VALIDATION BLOCK\nif beaconReg.Register == nil {\n\tbeaconHandlerLog.Errorf(\"Nil Register message from %s\", core.GetRemoteAddr(implantConn))\n\treturn nil\n}\n\n// Deep access is now safe\nid := beaconReg.Register.Uuid\n// ...\n```\n\n### 6.2 Tier 2: Infrastructure Hardening (RPC Global Accessors)\nTo protect the gRPC/Operator interface, the server should deprecate direct access to the [Request](https://github.com/BishopFox/sliver/blob/master/server/core/sessions.go#L148-L185) metadata field in favor of safe accessors that handle missing metadata gracefully.\n#### Recommended Helper Update \n```go\n// server/rpc/rpc.go\n// getRequestSafe returns the Request metadata or an error, preventing panics\nfunc getRequestSafe(req GenericRequest) (*commonpb.Request, error) {\n r := req.GetRequest()\n if r == nil {\n return nil, status.Error(codes.InvalidArgument, \"missing mandatory 'Request' metadata\")\n }\n return r, nil\n}\n```\n### 6.3 Tier 3: Strategic Architectural Resilience (Panic Recovery Middleware)\nTo achieve parity with the resilience of the HTTP transport, all multiplexed transports (mTLS, WireGuard, DNS) must implement a supervisor pattern using Go's `recover()` mechanism.\n\n#### Implementation: Protected Handler Invoke\nAll handlers should be executed inside a \"Safe Wrapper\" that catches runtime panics, logs the failure, and terminates only the affected stream without crashing the entire C2 daemon.\n\n```go\nfunc SafeInvoke(handler ServerHandler, conn *core.ImplantConnection, data []byte) {\n defer func() {\n if r := recover(); r != nil {\n log.Errorf(\"RECOVERY: Intercepted panic in handler: %v\\n%s\", r, debug.Stack())\n // The daemon continues running; only this specific action failed.\n }\n }()\n \n response := handler(conn, data)\n if response != nil {\n conn.Send <- response\n }\n}\n```\n\n### 6.4 Tier 4: Long-Term Assurance\nThe framework should move away from manual nil-checking towards automated schema validation:\n- **`protoc-gen-validate` (PGV)**: Annotate [.proto](https://github.com/BishopFox/sliver/blob/master/protobuf/dnspb/dns.proto) files with `(validate.rules).message.required = true` and generate automatic validation code.\n- **Static Analysis CI**: Integrate custom linters to detect unprotected pointer dereferences of Protobuf types during the PR process.\n\nBy adopting this multi-tiered approach, Sliver evolves from a \"fail-deadly\" design to a robust, enterprise-grade C2 architecture.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-hx52-cv84-jr5v.json?alt=media" }, { "category": "description", "text": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-29781" }, { "category": "description", "text": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-29781" }, { "category": "description", "text": "Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers in github.com/bishopfox/sliver", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4609.json?alt=media" }, { "category": "description", "text": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-29781.json?alt=media" }, { "category": "other", "text": "0.00056", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "title": "CVSSV4" }, { "category": "other", "text": "2.1", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.6", "title": "NCSC Score" }, { "category": "other", "text": "Is related to CWE-476 (NULL Pointer Dereference)", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "There is exploit data available from source Nvd, Is related to (a version of) an uncommon product, Is related to an uncommon product vendor, The value of the most recent CVSS (V3) score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5760878", "CSAFPID-5769858", "CSAFPID-5800187", "CSAFPID-3794399", "CSAFPID-3794400", "CSAFPID-3794401", "CSAFPID-3794402", "CSAFPID-3794403", "CSAFPID-3794404", "CSAFPID-3794405", "CSAFPID-3794406", "CSAFPID-3794407", "CSAFPID-3794408", "CSAFPID-3794409", "CSAFPID-3794410", "CSAFPID-3794411", "CSAFPID-3794412", "CSAFPID-3794413", "CSAFPID-3794414", "CSAFPID-3794415", "CSAFPID-3794416", "CSAFPID-3794417", "CSAFPID-3794418", "CSAFPID-3794419", "CSAFPID-3794420", "CSAFPID-3794421", "CSAFPID-3794422", "CSAFPID-3794423", "CSAFPID-3794424", "CSAFPID-3794425", "CSAFPID-3794426", "CSAFPID-3794427", "CSAFPID-3794428", "CSAFPID-3794429", "CSAFPID-3794430", "CSAFPID-3794431", "CSAFPID-3794432", "CSAFPID-3794433", "CSAFPID-3794434", "CSAFPID-3794435", "CSAFPID-3794436", "CSAFPID-3794437", "CSAFPID-3794438", "CSAFPID-3794439", "CSAFPID-3794440", "CSAFPID-3794441", "CSAFPID-3794442", "CSAFPID-3794443", "CSAFPID-3794444", "CSAFPID-3794445", "CSAFPID-3794446", "CSAFPID-3794447", "CSAFPID-3794448", "CSAFPID-3794449", "CSAFPID-3794450", "CSAFPID-3794451", "CSAFPID-3794452", "CSAFPID-3794453", "CSAFPID-3794454", "CSAFPID-3794455", "CSAFPID-3794456", "CSAFPID-3794457", "CSAFPID-3794458", "CSAFPID-3794459", "CSAFPID-3794460", "CSAFPID-3794461", "CSAFPID-3794462", "CSAFPID-3794463", "CSAFPID-3794464", "CSAFPID-3794465", "CSAFPID-3794466", "CSAFPID-3794467", "CSAFPID-3794468", "CSAFPID-3794469", "CSAFPID-3794470", "CSAFPID-3794471", "CSAFPID-3794472", "CSAFPID-3794473", "CSAFPID-3794474", "CSAFPID-3794478", "CSAFPID-3794479", "CSAFPID-3794480", "CSAFPID-3794481", "CSAFPID-3794482", "CSAFPID-5577729", "CSAFPID-5577730", "CSAFPID-5577731", "CSAFPID-5577732", "CSAFPID-5577733", "CSAFPID-5577734", "CSAFPID-5577735", "CSAFPID-5577736", "CSAFPID-5577737", "CSAFPID-5577738", "CSAFPID-5577739", "CSAFPID-5587663", "CSAFPID-5587664", "CSAFPID-5909029", "CSAFPID-5909030", "CSAFPID-5909031" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-hx52-cv84-jr5v" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-hx52-cv84-jr5v" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-hx52-cv84-jr5v.json?alt=media" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-29781" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/29xxx/CVE-2026-29781.json" }, { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29781" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-29781" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29781" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4609.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-29781.json?alt=media" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-hx52-cv84-jr5v" }, { "category": "external", "summary": "Reference - github; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29781" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29781.json" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-3794399", "CSAFPID-3794400", "CSAFPID-3794401", "CSAFPID-3794402", "CSAFPID-3794403", "CSAFPID-3794404", "CSAFPID-3794405", "CSAFPID-3794406", "CSAFPID-3794407", "CSAFPID-3794408", "CSAFPID-3794409", "CSAFPID-3794410", "CSAFPID-3794411", "CSAFPID-3794412", "CSAFPID-3794413", "CSAFPID-3794414", "CSAFPID-3794415", "CSAFPID-3794416", "CSAFPID-3794417", "CSAFPID-3794418", "CSAFPID-3794419", "CSAFPID-3794420", "CSAFPID-3794421", "CSAFPID-3794422", "CSAFPID-3794423", "CSAFPID-3794424", "CSAFPID-3794425", "CSAFPID-3794426", "CSAFPID-3794427", "CSAFPID-3794428", "CSAFPID-3794429", "CSAFPID-3794430", "CSAFPID-3794431", "CSAFPID-3794432", "CSAFPID-3794433", "CSAFPID-3794434", "CSAFPID-3794435", "CSAFPID-3794436", "CSAFPID-3794437", "CSAFPID-3794438", "CSAFPID-3794439", "CSAFPID-3794440", "CSAFPID-3794441", "CSAFPID-3794442", "CSAFPID-3794443", "CSAFPID-3794444", "CSAFPID-3794445", "CSAFPID-3794446", "CSAFPID-3794447", "CSAFPID-3794448", "CSAFPID-3794449", "CSAFPID-3794450", "CSAFPID-3794451", "CSAFPID-3794452", "CSAFPID-3794453", "CSAFPID-3794454", "CSAFPID-3794455", "CSAFPID-3794456", "CSAFPID-3794457", "CSAFPID-3794458", "CSAFPID-3794459", "CSAFPID-3794460", "CSAFPID-3794461", "CSAFPID-3794462", "CSAFPID-3794463", "CSAFPID-3794464", "CSAFPID-3794465", "CSAFPID-3794466", "CSAFPID-3794467", "CSAFPID-3794468", "CSAFPID-3794469", "CSAFPID-3794470", "CSAFPID-3794471", "CSAFPID-3794472", "CSAFPID-3794473", "CSAFPID-3794474", "CSAFPID-3794478", "CSAFPID-3794479", "CSAFPID-3794480", "CSAFPID-3794481", "CSAFPID-3794482", "CSAFPID-5577729", "CSAFPID-5577730", "CSAFPID-5577731", "CSAFPID-5577732", "CSAFPID-5577733", "CSAFPID-5577734", "CSAFPID-5577735", "CSAFPID-5577736", "CSAFPID-5577737", "CSAFPID-5577738", "CSAFPID-5577739", "CSAFPID-5587663", "CSAFPID-5587664", "CSAFPID-5760878", "CSAFPID-5769858", "CSAFPID-5800187", "CSAFPID-5909029", "CSAFPID-5909030", "CSAFPID-5909031" ] } ], "title": "CVE-2026-29781" } ] }