Vulnerability-Lookup

CVE-2026-29781 (GCVE-0-2026-29781)

Vulnerability from cvelistv5 – Published: 2026-03-07 15:25 – Updated: 2026-03-09 18:26

Title

Sliver: Authenticated Nil-Pointer Dereference in Handlers

Summary

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.

Severity ?

2.1 (Low)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

CWE

CWE-476 - NULL Pointer Dereference

Assigner

GitHub_M

References

URL

Tags

https://github.com/BishopFox/sliver/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	BishopFox	sliver	Affected: <= 1.7.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29781",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T17:52:33.760045Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T18:26:52.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sliver",
          "vendor": "BishopFox",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 1.7.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server\u0027s Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-476",
              "description": "CWE-476: NULL Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-07T15:25:23.698Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v"
        }
      ],
      "source": {
        "advisory": "GHSA-hx52-cv84-jr5v",
        "discovery": "UNKNOWN"
      },
      "title": "Sliver: Authenticated Nil-Pointer Dereference in Handlers"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29781",
    "datePublished": "2026-03-07T15:25:23.698Z",
    "dateReserved": "2026-03-04T16:26:02.898Z",
    "dateUpdated": "2026-03-09T18:26:52.610Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29781\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-07T16:15:55.280\",\"lastModified\":\"2026-03-11T21:59:55.763\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server\u0027s Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \\\"kill-switch,\\\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.\"},{\"lang\":\"es\",\"value\":\"Sliver es un framework de comando y control que utiliza una pila de red Wireguard personalizada. En versiones desde la 1.7.3 y anteriores, existe una vulnerabilidad en la l\u00f3gica de desmarshalling de Protobuf del servidor C2 de Sliver debido a una falta sist\u00e9mica de validaci\u00f3n de punteros nulos. Al extraer credenciales de implante v\u00e1lidas y omitir campos anidados en un mensaje firmado, un actor autenticado puede desencadenar un p\u00e1nico en tiempo de ejecuci\u00f3n no manejado. Debido a que las capas de transporte mTLS, WireGuard y DNS carecen del middleware de recuperaci\u00f3n de p\u00e1nico presente en el transporte HTTP, esto resulta en una terminaci\u00f3n global del proceso. Si bien requiere acceso post-autenticaci\u00f3n (un implante capturado), este fallo act\u00faa efectivamente como un \u0027kill-switch\u0027 de infraestructura, interrumpiendo instant\u00e1neamente todas las sesiones activas en toda la flota y requiriendo un reinicio manual del servidor para restaurar las operaciones. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.7.3\",\"matchCriteriaId\":\"3F9D34DC-4587-4F54-A769-5B833439B841\"}]}]}],\"references\":[{\"url\":\"https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29781\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T17:52:33.760045Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T17:52:34.862Z\"}}], \"cna\": {\"title\": \"Sliver: Authenticated Nil-Pointer Dereference in Handlers\", \"source\": {\"advisory\": \"GHSA-hx52-cv84-jr5v\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 2.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"BishopFox\", \"product\": \"sliver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 1.7.3\"}]}], \"references\": [{\"url\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v\", \"name\": \"https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server\u0027s Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \\\"kill-switch,\\\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476: NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-07T15:25:23.698Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29781\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T18:26:52.610Z\", \"dateReserved\": \"2026-03-04T16:26:02.898Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-07T15:25:23.698Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-29781

Vulnerability from fkie_nvd - Published: 2026-03-07 16:15 - Updated: 2026-03-11 21:59

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	bishopfox	sliver	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bishopfox:sliver:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3F9D34DC-4587-4F54-A769-5B833439B841",
              "versionEndIncluding": "1.7.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server\u0027s Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches."
    },
    {
      "lang": "es",
      "value": "Sliver es un framework de comando y control que utiliza una pila de red Wireguard personalizada. En versiones desde la 1.7.3 y anteriores, existe una vulnerabilidad en la l\u00f3gica de desmarshalling de Protobuf del servidor C2 de Sliver debido a una falta sist\u00e9mica de validaci\u00f3n de punteros nulos. Al extraer credenciales de implante v\u00e1lidas y omitir campos anidados en un mensaje firmado, un actor autenticado puede desencadenar un p\u00e1nico en tiempo de ejecuci\u00f3n no manejado. Debido a que las capas de transporte mTLS, WireGuard y DNS carecen del middleware de recuperaci\u00f3n de p\u00e1nico presente en el transporte HTTP, esto resulta en una terminaci\u00f3n global del proceso. Si bien requiere acceso post-autenticaci\u00f3n (un implante capturado), este fallo act\u00faa efectivamente como un \u0027kill-switch\u0027 de infraestructura, interrumpiendo instant\u00e1neamente todas las sesiones activas en toda la flota y requiriendo un reinicio manual del servidor para restaurar las operaciones. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."
    }
  ],
  "id": "CVE-2026-29781",
  "lastModified": "2026-03-11T21:59:55.763",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-07T16:15:55.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HX52-CV84-JR5V

Vulnerability from github – Published: 2026-03-05 00:26 – Updated: 2026-03-09 15:49

Summary

Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers

Details

1. Executive Summary

A vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations.

2. Vulnerability Details

2.0 Technical Workflow: From Envelope to Handler

Sliver encapsulates all C2 traffic in a generic sliverpb.Envelope, which acts as a routing wrapper. When the server receives an Envelope with Type = 53 (MsgBeaconRegister), the internal router strips the envelope and passes the raw Data bytes directly to the vulnerable handlers.beaconRegisterHandler(implantConn, data). This flow is consistent across all transports, but the error handling of the transport itself determines the final impact.

2.1 BeaconRegister Nil-Pointer Dereference

Vulnerability Type: Remote Denial of Service via Nil-Pointer Dereference (CWE-476)
Component: server/handlers/beacons.go
Affected Functions: beaconRegisterHandler.
Severity: Critical
Complexity: Low

Root Cause Analysis

The core of the vulnerability lies in the architectural handling of Protobuf messages within the Go runtime. In proto3, all fields are optional by design. When a message contains a nested sub-message (like Register inside BeaconRegister), the Go Protobuf implementation represents this sub-message as a pointer.

In server/handlers/beacons.go, the server unmarshals the incoming data without subsequent validation of its nested structures:

func beaconRegisterHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {
    // ...
    beaconReg := &sliverpb.BeaconRegister{}
    err := proto.Unmarshal(data, beaconReg)
    // Successful even if 'Register' sub-message is omitted

    // VULNERABILITY: beaconReg.Register is nil if omitted by sender.
    // Accessing any property of a nil pointer triggers an immediate runtime panic.
    beaconRegUUID, _ := uuid.FromString(beaconReg.Register.Uuid) 
    // ...
}

If an attacker constructs a BeaconRegister message and deliberately omits the Register field, proto.Unmarshal parses the stream without error but leaves the Register pointer as nil. The subsequent attempt to access beaconReg.Register.Uuid triggers a Nil-Pointer Dereference.

2.2 Expanded Inventory: System-Wide Nil-Pointer Vulnerabilities

Beyond the beacon registration, the investigation revealed a systemic pattern of missing nil-checks across various handlers. These vulnerabilities follow the same root cause: immediate dereferencing of nested Protobuf fields post-unmarshalling.

2.2.1 Remote Implant Vectors (Unauthenticated)

These handlers process data from implants. If an implant binary is captured, these can be triggered to crash the server: - Reverse Tunneling (server/handlers/sessions.go): The createReverseTunnelHandler panics when req.Rportfwd is omitted. - SOCKS Proxying (server/handlers/sessions.go): The socksDataHandler fails when the SocksData sub-message is absent. - Pivot/Peer Communication (server/handlers/pivot.go): Functions serverKeyExchange and peersToString dereference peerEnvelope.Peers without checking if the peer list is empty or nil.

2.2.2 Authenticated Operator Vectors (gRPC Layer)

The Sliver RPC server (server/rpc/) is also susceptible. While these require an authenticated operator, they represent a significant stability risk where a malformed request from a custom client or automated script can bring down the entire C2 infrastructure.

Function	File	Vulnerable Pattern
getTimeout	server/rpc/rpc.go	`req.GetRequest().Timeout`
getError	server/rpc/rpc.go	`resp.GetResponse().Err`
Portfwd	server/rpc/rpc-portfwd.go	`req.Request.SessionID`
GetSystem	server/rpc/rpc-priv.go	`req.GetRequest().SessionID`
GetPrivileges	server/rpc/rpc-priv.go	`req.Request.SessionID`
NetConnPivot	server/rpc/rpc-pivot.go	`req.Request.SessionID`
PivotListeners	server/rpc/rpc-pivot.go	`req.Request.SessionID`
SocksStart	server/rpc/rpc-socks.go	`req.Request.SessionID`
SocksStop	server/rpc/rpc-socks.go	`req.Request.SessionID`
RPortfwd	server/rpc/rpc-rportfwd.go	`req.Request.SessionID`
Shell	server/rpc/rpc-shell.go	`req.Request.SessionID`
ShellResize	server/rpc/rpc-shell.go	`req.Request.SessionID`
BackdoorImplant	server/rpc/rpc-backdoor.go	`req.Request.SessionID`, `req.Request.Timeout`
CrackstationTrigger	server/rpc/rpc-crackstations.go	`statusUpdate.HostUUID` (after unmarshal of `req.Data`)
Tasks	server/rpc/rpc-tasks.go	`req.Request.SessionID`
ImplantReconfig	server/rpc/rpc-reconfig.go	`req.Request.SessionID`
MsfInject	server/rpc/rpc-msf.go	`req.Request.SessionID`
Hijack	server/rpc/rpc-hijack.go	`req.Request.SessionID`

3. Proof of Concept & Attack Feasibility

3.1 Attack Feasibility: Credential Extraction

The exploit requires valid implant credentials, which are inherently embedded in Sliver's generated binaries. Since these binaries are often deployed to untrusted or compromised environments, credential recovery is a high-probability event. During testing, it was confirmed that an attacker can obtain the required mTLS certificates and Age Secret Keys through: - Static Extraction (Trivial): By default, running the strings utility on the implant binary or dumping the embedded configuration block is sufficient to recover the private keys. - Memory Forensics: If an implant is captured during execution, the configuration structures can be carved directly from the process memory, bypassing most disk-level obfuscation.

3.2 Exploit Execution Flow

The provided exploit mtls_poc.go or mtls_poc.go demonstrates how a single captured implant can be weaponized into a "Kill Switch" for the entire C2 infrastructure. The attack follows these steps: 1. Authentication: Establishes a valid mTLS connection using the extracted certificates. 2. Multiplexing: Negotiates a Yamux stream, bypassing standard network-level protections. 3. Payload Construction: Builds a BeaconRegister Protobuf message where the ID is defined, but the critical Register sub-message is explicitly omitted (set to nil). 4. Envelope Signing: Deterministically signs the malicious envelope using the recovered Age private key to ensure it is accepted by the server. 5. Trigger: Sends the malformed payload. Upon receipt, the server's handler attempts to dereference the missing Register pointer, leading to an immediate Full Server DoS.

4. Transport-Specific Response & Recovery Analysis

The impact of this panic varies significantly depending on the C2 transport used by the implant. While the nil-pointer dereference happens in the shared handler logic, the transport layer determines whether this results in a localized request failure or a total server termination.

4.1 HTTP/S Transport

HTTP-based beacons do not crash the entire Sliver server. This is because Sliver utilizes the standard Go net/http library.

Code Reference (server/c2/http.go):

server.HTTPServer = &http.Server{
    Addr:         fmt.Sprintf("%s:%d", req.Host, req.Port),
    Handler:      server.router(),
    // ...
}
// ...
go server.HTTPServer.ListenAndServe()

By design, net/http's ServeHTTP implementation wraps every connection in a defer recover() block. When the beaconRegisterHandler panics, the standard library catches it, logs the trace, and simply closes that specific TCP connection. The rest of the server remains unaffected.

4.2 mTLS & WireGuard Transports (Full DoS)

Both mTLS and WireGuard utilize the yamux multiplexer to handle multiple streams over a single connection. Unlike the HTTP server, Sliver manually manages these goroutines without a global recovery mechanism.

mTLS server/c2/mtls.go:

if handler, ok := handlers[envelope.Type]; ok {
    mtlsLog.Debugf("Received new mtls message type %d, data: %s", envelope.Type, envelope.Data)
    go func(envelope *sliverpb.Envelope) {
        respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE
        if respEnvelope != nil {
            implantConn.Send <- respEnvelope
        }
    }(envelope)
}

WireGuard server/c2/wireguard.go:

if handler, ok := handlers[envelope.Type]; ok {
    go func(envelope *sliverpb.Envelope) {
        respEnvelope := handler(implantConn, envelope.Data) // <--- PANIC HERE
        // ...
    }(envelope)
}

Because these handlers are invoked in a raw goroutine without a recover() block, the panic propagates to the top of the stack, causing the entire Go runtime to exit (SIGSEGV). This kills the sliver-server process immediately.

4.3 DNS Transport (Full DoS)

Similar to mTLS, the DNS transport reassembles messages and then forwards them to handlers in unsynchronized goroutines.

DNS server/c2/dns.go:

// Line 833: Forwarding the completed envelope
go dnsSession.ForwardCompletedEnvelope(msg.ID, pending)
// ...
// Inside ForwardCompletedEnvelope:
if handler, ok := handlers[envelope.Type]; ok {
    respEnvelope := handler(s.ImplantConn, envelope.Data) // <--- PANIC HERE
    // ...
}

This asynchronous call also lacks a recover() block, making DNS sessions equally capable of crashing the entire server.

4.4 Vulnerability Matrix by Protocol

Protocol	Uses `recover()`?	Impact of Panic	Server Crash?
HTTP / HTTPS	Yes (Built-in)	Request Terminated	No
mTLS	No	Process Termination	Yes
WireGuard	No	Process Termination	Yes
DNS	No	Process Termination	Yes

5. Impact Analysis

The impact of this vulnerability is Total Operational Paralysis. Because the panic causes the entire Go runtime to terminate: - Global Disconnection: Every active session and beacon across all transports (including the resilient HTTP transport) is instantly terminated. - Persistence Risk: Implants waiting for their next check-in will find the server offline. Repeated failures may trigger internal implant "kill-date" or cleanup logic, or alert defensive monitoring to a failure in the C2 channel. - Operator Eviction: All active operators are evicted from the gRPC interface, losing all unsaved state, active shell buffers, and real-time monitoring streams. - Operational Downtime: Restoration requires manual intervention to restart the service and potentially re-establish complex pivot chains, creating a significant "Recovery Time Objective" (RTO) penalty.

6. Countermeasures & Remediation

Addressing these vulnerabilities requires a systemic shift towards "fail-safe" architecture. The root cause is a combination of unprotected Protobuf pointer dereferences and a lack of isolation in asynchronous transport layers.

6.1 Tier 1: Tactical Defensive Programming

The immediate priority is to implement strict validation for all nested Protobuf fields. In Go, omitted sub-messages are nil after unmarshaling; handlers must assume any pointer-typed field from an implant is potentially nil.

Implementation Pattern: Validation-First Handlers

Handlers should validate the entire message structure before proceeding to business logic.

beaconReg := &sliverpb.BeaconRegister{}
if err := proto.Unmarshal(data, beaconReg); err != nil {
    return nil // Drop malformed wire data
}

// MANDATORY VALIDATION BLOCK
if beaconReg.Register == nil {
    beaconHandlerLog.Errorf("Nil Register message from %s", core.GetRemoteAddr(implantConn))
    return nil
}

// Deep access is now safe
id := beaconReg.Register.Uuid
// ...

6.2 Tier 2: Infrastructure Hardening (RPC Global Accessors)

To protect the gRPC/Operator interface, the server should deprecate direct access to the Request metadata field in favor of safe accessors that handle missing metadata gracefully.

Recommended Helper Update

// server/rpc/rpc.go
// getRequestSafe returns the Request metadata or an error, preventing panics
func getRequestSafe(req GenericRequest) (*commonpb.Request, error) {
    r := req.GetRequest()
    if r == nil {
        return nil, status.Error(codes.InvalidArgument, "missing mandatory 'Request' metadata")
    }
    return r, nil
}

6.3 Tier 3: Strategic Architectural Resilience (Panic Recovery Middleware)

To achieve parity with the resilience of the HTTP transport, all multiplexed transports (mTLS, WireGuard, DNS) must implement a supervisor pattern using Go's recover() mechanism.

Implementation: Protected Handler Invoke

All handlers should be executed inside a "Safe Wrapper" that catches runtime panics, logs the failure, and terminates only the affected stream without crashing the entire C2 daemon.

func SafeInvoke(handler ServerHandler, conn *core.ImplantConnection, data []byte) {
    defer func() {
        if r := recover(); r != nil {
            log.Errorf("RECOVERY: Intercepted panic in handler: %v\n%s", r, debug.Stack())
            // The daemon continues running; only this specific action failed.
        }
    }()

    response := handler(conn, data)
    if response != nil {
        conn.Send <- response
    }
}

6.4 Tier 4: Long-Term Assurance

The framework should move away from manual nil-checking towards automated schema validation: - protoc-gen-validate (PGV): Annotate .proto files with (validate.rules).message.required = true and generate automatic validation code. - Static Analysis CI: Integrate custom linters to detect unprotected pointer dereferences of Protobuf types during the PR process.

By adopting this multi-tiered approach, Sliver evolves from a "fail-deadly" design to a robust, enterprise-grade C2 architecture.

Severity ?

2.1 (Low)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bishopfox/sliver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-476"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-05T00:26:40Z",
    "nvd_published_at": "2026-03-07T16:15:55Z",
    "severity": "LOW"
  },
  "details": "## 1. Executive Summary\nA vulnerability exists in the Sliver C2 server\u0027s Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure \"kill-switch,\" instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations.\n\n## 2. Vulnerability Details\n### 2.0 Technical Workflow: From Envelope to Handler\nSliver encapsulates all C2 traffic in a generic `sliverpb.Envelope`, which acts as a routing wrapper. When the server receives an Envelope with `Type = 53` (MsgBeaconRegister), the internal router strips the envelope and passes the raw `Data` bytes directly to the vulnerable `handlers.beaconRegisterHandler(implantConn, data)`. This flow is consistent across all transports, but the **error handling** of the transport itself determines the final impact.\n\n### 2.1 BeaconRegister Nil-Pointer Dereference\n- **Vulnerability Type:** Remote Denial of Service via Nil-Pointer Dereference ([CWE-476](https://cwe.mitre.org/data/definitions/476.html))\n- **Component:** `server/handlers/beacons.go`\n- **Affected Functions:** [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L110).\n- **Severity:** Critical\n- **Complexity:** Low\n\n#### Root Cause Analysis\nThe core of the vulnerability lies in the architectural handling of Protobuf messages within the Go runtime. In `proto3`, all fields are optional by design. When a message contains a nested sub-message (like `Register` inside `BeaconRegister`), the Go Protobuf implementation represents this sub-message as a **pointer**.\n\nIn `server/handlers/beacons.go`, the server unmarshals the incoming data without subsequent validation of its nested structures:\n```Go\nfunc beaconRegisterHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {\n    // ...\n    beaconReg := \u0026sliverpb.BeaconRegister{}\n    err := proto.Unmarshal(data, beaconReg)\n\t// Successful even if \u0027Register\u0027 sub-message is omitted\n    \n    // VULNERABILITY: beaconReg.Register is nil if omitted by sender.\n    // Accessing any property of a nil pointer triggers an immediate runtime panic.\n    beaconRegUUID, _ := uuid.FromString(beaconReg.Register.Uuid) \n    // ...\n}\n```\n\nIf an attacker constructs a `BeaconRegister` message and deliberately omits the `Register` field, `proto.Unmarshal` parses the stream without error but leaves the `Register` pointer as `nil`. The subsequent attempt to access `beaconReg.Register.Uuid` triggers a **Nil-Pointer Dereference**.\n### 2.2 Expanded Inventory: System-Wide Nil-Pointer Vulnerabilities\nBeyond the beacon registration, the investigation revealed a systemic pattern of missing nil-checks across various handlers. These vulnerabilities follow the same root cause: immediate dereferencing of nested Protobuf fields post-unmarshalling.\n\n#### 2.2.1 Remote Implant Vectors (Unauthenticated)\nThese handlers process data from implants. If an implant binary is captured, these can be triggered to crash the server:\n- **Reverse Tunneling (`server/handlers/sessions.go`):** The `createReverseTunnelHandler` panics when `req.Rportfwd` is omitted.\n- **SOCKS Proxying (`server/handlers/sessions.go`):** The `socksDataHandler` fails when the `SocksData` sub-message is absent.\n- **Pivot/Peer Communication (`server/handlers/pivot.go`):** Functions `serverKeyExchange` and `peersToString` dereference `peerEnvelope.Peers` without checking if the peer list is empty or nil.\n\n#### 2.2.2 Authenticated Operator Vectors (gRPC Layer)\nThe Sliver RPC server (`server/rpc/`) is also susceptible. While these require an authenticated operator, they represent a significant stability risk where a malformed request from a custom client or automated script can bring down the entire C2 infrastructure.\n\n| Function            | File                            | Vulnerable Pattern                                      |\n| ------------------- | ------------------------------- | ------------------------------------------------------- |\n| getTimeout          | server/rpc/rpc.go               | `req.GetRequest().Timeout`                              |\n| getError            | server/rpc/rpc.go               | `resp.GetResponse().Err`                                |\n| Portfwd             | server/rpc/rpc-portfwd.go       | `req.Request.SessionID`                                 |\n| GetSystem           | server/rpc/rpc-priv.go          | `req.GetRequest().SessionID`                            |\n| GetPrivileges       | server/rpc/rpc-priv.go          | `req.Request.SessionID`                                 |\n| NetConnPivot        | server/rpc/rpc-pivot.go         | `req.Request.SessionID`                                 |\n| PivotListeners      | server/rpc/rpc-pivot.go         | `req.Request.SessionID`                                 |\n| SocksStart          | server/rpc/rpc-socks.go         | `req.Request.SessionID`                                 |\n| SocksStop           | server/rpc/rpc-socks.go         | `req.Request.SessionID`                                 |\n| RPortfwd            | server/rpc/rpc-rportfwd.go      | `req.Request.SessionID`                                 |\n| Shell               | server/rpc/rpc-shell.go         | `req.Request.SessionID`                                 |\n| ShellResize         | server/rpc/rpc-shell.go         | `req.Request.SessionID`                                 |\n| BackdoorImplant     | server/rpc/rpc-backdoor.go      | `req.Request.SessionID`,\u00a0`req.Request.Timeout`          |\n| CrackstationTrigger | server/rpc/rpc-crackstations.go | `statusUpdate.HostUUID`\u00a0(after unmarshal of\u00a0`req.Data`) |\n| Tasks               | server/rpc/rpc-tasks.go         | `req.Request.SessionID`                                 |\n| ImplantReconfig     | server/rpc/rpc-reconfig.go      | `req.Request.SessionID`                                 |\n| MsfInject           | server/rpc/rpc-msf.go           | `req.Request.SessionID`                                 |\n| Hijack              | server/rpc/rpc-hijack.go        | `req.Request.SessionID`                                 |\n\n---\n\n## 3. Proof of Concept \u0026 Attack Feasibility\n### 3.1 Attack Feasibility: Credential Extraction\nThe exploit requires valid implant credentials, which are inherently embedded in Sliver\u0027s generated binaries. Since these binaries are often deployed to untrusted or compromised environments, credential recovery is a high-probability event. During testing, it was confirmed that an attacker can obtain the required mTLS certificates and Age Secret Keys through:\n- **Static Extraction (Trivial):** By default, running the `strings` utility on the implant binary or dumping the embedded configuration block is sufficient to recover the private keys.\n- **Memory Forensics:** If an implant is captured during execution, the configuration structures can be carved directly from the process memory, bypassing most disk-level obfuscation.\n\n### 3.2 Exploit Execution Flow\nThe provided exploit [mtls_poc.go](https://github.com/skoveit/Sliver-Nil-Pointer-DoS-PoC/blob/main/mtls_poc.go) or [mtls_poc.go](https://gist.github.com/skoveit/a5e52b5c9197fc53e2605a861cd8aa33) demonstrates how a single captured implant can be weaponized into a \"Kill Switch\" for the entire C2 infrastructure. The attack follows these steps:\n1. **Authentication:** Establishes a valid mTLS connection using the extracted certificates.\n2. **Multiplexing:** Negotiates a Yamux stream, bypassing standard network-level protections.\n3. **Payload Construction:** Builds a `BeaconRegister` Protobuf message where the `ID` is defined, but the critical `Register` sub-message is explicitly omitted (set to `nil`).\n4. **Envelope Signing:** Deterministically signs the malicious envelope using the recovered Age private key to ensure it is accepted by the server.\n5. **Trigger:** Sends the malformed payload. Upon receipt, the server\u0027s handler attempts to dereference the missing `Register` pointer, leading to an immediate **Full Server DoS**.\n\n## 4. Transport-Specific Response \u0026 Recovery Analysis\nThe impact of this panic varies significantly depending on the C2 transport used by the implant. While the nil-pointer dereference happens in the shared handler logic, the transport layer determines whether this results in a localized request failure or a total server termination.\n\n### 4.1 HTTP/S Transport\nHTTP-based beacons do **not** crash the entire Sliver server. This is because Sliver utilizes the standard Go `net/http` library.\n\n**Code Reference ([server/c2/http.go](https://github.com/BishopFox/sliver/blob/master/server/c2/http.go)):**\n```go\nserver.HTTPServer = \u0026http.Server{\n    Addr:         fmt.Sprintf(\"%s:%d\", req.Host, req.Port),\n    Handler:      server.router(),\n    // ...\n}\n// ...\ngo server.HTTPServer.ListenAndServe()\n```\n\nBy design, `net/http`\u0027s `ServeHTTP` implementation wraps every connection in a `defer recover()` block. When the [beaconRegisterHandler](https://github.com/BishopFox/sliver/blob/master/server/handlers/beacons.go#L46-L109) panics, the standard library catches it, logs the trace, and simply closes that specific TCP connection. The rest of the server remains unaffected.\n\n### 4.2 mTLS \u0026 WireGuard Transports (Full DoS)\nBoth mTLS and WireGuard utilize the `yamux` multiplexer to handle multiple streams over a single connection. Unlike the HTTP server, Sliver manually manages these goroutines without a global recovery mechanism.\n\n**mTLS [server/c2/mtls.go](https://github.com/BishopFox/sliver/blob/master/server/c2/mtls.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n    mtlsLog.Debugf(\"Received new mtls message type %d, data: %s\", envelope.Type, envelope.Data)\n    go func(envelope *sliverpb.Envelope) {\n        respEnvelope := handler(implantConn, envelope.Data) // \u003c--- PANIC HERE\n        if respEnvelope != nil {\n            implantConn.Send \u003c- respEnvelope\n        }\n    }(envelope)\n}\n```\n\n**WireGuard [server/c2/wireguard.go](https://github.com/BishopFox/sliver/blob/master/server/c2/wireguard.go):**\n```go\nif handler, ok := handlers[envelope.Type]; ok {\n    go func(envelope *sliverpb.Envelope) {\n        respEnvelope := handler(implantConn, envelope.Data) // \u003c--- PANIC HERE\n        // ...\n    }(envelope)\n}\n```\n\nBecause these handlers are invoked in a **raw goroutine** without a `recover()` block, the panic propagates to the top of the stack, causing the entire Go runtime to exit (SIGSEGV). This kills the `sliver-server` process immediately.\n\n### 4.3 DNS Transport (Full DoS)\nSimilar to mTLS, the DNS transport reassembles messages and then forwards them to handlers in unsynchronized goroutines.\n\n**DNS [server/c2/dns.go](https://github.com/BishopFox/sliver/blob/master/server/c2/dns.go):**\n```go\n// Line 833: Forwarding the completed envelope\ngo dnsSession.ForwardCompletedEnvelope(msg.ID, pending)\n// ...\n// Inside ForwardCompletedEnvelope:\nif handler, ok := handlers[envelope.Type]; ok {\n    respEnvelope := handler(s.ImplantConn, envelope.Data) // \u003c--- PANIC HERE\n    // ...\n}\n```\n\nThis asynchronous call also lacks a `recover()` block, making DNS sessions equally capable of crashing the entire server.\n\n### 4.4 Vulnerability Matrix by Protocol\n\n| Protocol | Uses `recover()`? | Impact of Panic | Server Crash? |\n| :--- | :---: | :--- | :---: |\n| **HTTP / HTTPS** | Yes (Built-in) | Request Terminated | No |\n| **mTLS** | No | Process Termination | **Yes** |\n| **WireGuard** | No | Process Termination | **Yes** |\n| **DNS** | No | Process Termination | **Yes** |\n\n\n## 5. Impact Analysis\nThe impact of this vulnerability is\u00a0**Total Operational Paralysis**. Because the panic causes the entire Go runtime to terminate:\n- **Global Disconnection:**\u00a0Every active session and beacon across all transports (including the resilient HTTP transport) is instantly terminated.\n- **Persistence Risk:**\u00a0Implants waiting for their next check-in will find the server offline. Repeated failures may trigger internal implant \"kill-date\" or cleanup logic, or alert defensive monitoring to a failure in the C2 channel.\n- **Operator Eviction:**\u00a0All active operators are evicted from the gRPC interface, losing all unsaved state, active shell buffers, and real-time monitoring streams.\n- **Operational Downtime:**\u00a0Restoration requires manual intervention to restart the service and potentially re-establish complex pivot chains, creating a significant \"Recovery Time Objective\" (RTO) penalty.\n## 6. Countermeasures \u0026 Remediation\nAddressing these vulnerabilities requires a systemic shift towards \"fail-safe\" architecture. The root cause is a combination of unprotected Protobuf pointer dereferences and a lack of isolation in asynchronous transport layers.\n\n### 6.1 Tier 1: Tactical Defensive Programming\nThe immediate priority is to implement strict validation for all nested Protobuf fields. In Go, omitted sub-messages are `nil` after unmarshaling; handlers must assume any pointer-typed field from an implant is potentially `nil`.\n\n#### Implementation Pattern: Validation-First Handlers\nHandlers should validate the entire message structure before proceeding to business logic.\n\n```go\nbeaconReg := \u0026sliverpb.BeaconRegister{}\nif err := proto.Unmarshal(data, beaconReg); err != nil {\n\treturn nil // Drop malformed wire data\n}\n\n// MANDATORY VALIDATION BLOCK\nif beaconReg.Register == nil {\n\tbeaconHandlerLog.Errorf(\"Nil Register message from %s\", core.GetRemoteAddr(implantConn))\n\treturn nil\n}\n\n// Deep access is now safe\nid := beaconReg.Register.Uuid\n// ...\n```\n\n### 6.2 Tier 2: Infrastructure Hardening (RPC Global Accessors)\nTo protect the gRPC/Operator interface, the server should deprecate direct access to the [Request](https://github.com/BishopFox/sliver/blob/master/server/core/sessions.go#L148-L185) metadata field in favor of safe accessors that handle missing metadata gracefully.\n#### Recommended Helper Update \n```go\n// server/rpc/rpc.go\n// getRequestSafe returns the Request metadata or an error, preventing panics\nfunc getRequestSafe(req GenericRequest) (*commonpb.Request, error) {\n    r := req.GetRequest()\n    if r == nil {\n        return nil, status.Error(codes.InvalidArgument, \"missing mandatory \u0027Request\u0027 metadata\")\n    }\n    return r, nil\n}\n```\n### 6.3 Tier 3: Strategic Architectural Resilience (Panic Recovery Middleware)\nTo achieve parity with the resilience of the HTTP transport, all multiplexed transports (mTLS, WireGuard, DNS) must implement a supervisor pattern using Go\u0027s `recover()` mechanism.\n\n#### Implementation: Protected Handler Invoke\nAll handlers should be executed inside a \"Safe Wrapper\" that catches runtime panics, logs the failure, and terminates only the affected stream without crashing the entire C2 daemon.\n\n```go\nfunc SafeInvoke(handler ServerHandler, conn *core.ImplantConnection, data []byte) {\n    defer func() {\n        if r := recover(); r != nil {\n            log.Errorf(\"RECOVERY: Intercepted panic in handler: %v\\n%s\", r, debug.Stack())\n            // The daemon continues running; only this specific action failed.\n        }\n    }()\n    \n    response := handler(conn, data)\n    if response != nil {\n        conn.Send \u003c- response\n    }\n}\n```\n\n### 6.4 Tier 4: Long-Term Assurance\nThe framework should move away from manual nil-checking towards automated schema validation:\n- **`protoc-gen-validate` (PGV)**: Annotate [.proto](https://github.com/BishopFox/sliver/blob/master/protobuf/dnspb/dns.proto) files with `(validate.rules).message.required = true` and generate automatic validation code.\n- **Static Analysis CI**: Integrate custom linters to detect unprotected pointer dereferences of Protobuf types during the PR process.\n\nBy adopting this multi-tiered approach, Sliver evolves from a \"fail-deadly\" design to a robust, enterprise-grade C2 architecture.",
  "id": "GHSA-hx52-cv84-jr5v",
  "modified": "2026-03-09T15:49:25Z",
  "published": "2026-03-05T00:26:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/BishopFox/sliver/security/advisories/GHSA-hx52-cv84-jr5v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29781"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/BishopFox/sliver"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Sliver is Vulnerable to Authenticated Nil-Pointer Dereference through its Handlers"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29781 (GCVE-0-2026-29781)

FKIE_CVE-2026-29781

GHSA-HX52-CV84-JR5V

1. Executive Summary

2. Vulnerability Details

2.0 Technical Workflow: From Envelope to Handler

2.1 BeaconRegister Nil-Pointer Dereference

Root Cause Analysis

2.2 Expanded Inventory: System-Wide Nil-Pointer Vulnerabilities

2.2.1 Remote Implant Vectors (Unauthenticated)

2.2.2 Authenticated Operator Vectors (gRPC Layer)

3. Proof of Concept & Attack Feasibility

3.1 Attack Feasibility: Credential Extraction

3.2 Exploit Execution Flow

4. Transport-Specific Response & Recovery Analysis

4.1 HTTP/S Transport

4.2 mTLS & WireGuard Transports (Full DoS)

4.3 DNS Transport (Full DoS)

4.4 Vulnerability Matrix by Protocol

5. Impact Analysis

6. Countermeasures & Remediation

6.1 Tier 1: Tactical Defensive Programming

Implementation Pattern: Validation-First Handlers

6.2 Tier 2: Infrastructure Hardening (RPC Global Accessors)

Recommended Helper Update

6.3 Tier 3: Strategic Architectural Resilience (Panic Recovery Middleware)

Implementation: Protected Handler Invoke

6.4 Tier 4: Long-Term Assurance

Tags

Sightings

Nomenclature