Sliver C2 Framework, NULL Pointer Dereference, CVE-2026-29781 (MEDIUM)

Listen to this Post

CVE-2026-29781 is a vulnerability in the Sliver command and control framework that resides in the Protobuf unmarshalling logic . The flaw stems from a systemic lack of nil-pointer validation when processing certain message structures. An attacker who has successfully extracted valid implant credentials can exploit this by sending a signed message where specific nested fields are omitted. Because the server’s Protobuf parsing code does not check for nil pointers before dereferencing them, this malformed input triggers an unhandled runtime panic in the Go application. Critically, the transport layers for mTLS, WireGuard, and DNS lack the panic recovery middleware that is present in the HTTP transport. Consequently, this panic is not caught and recovered, leading to an immediate and global termination of the Sliver C2 server process. This effectively acts as a kill-switch for the entire command and control infrastructure, severing all active implant sessions and operator connections instantly. The only way to restore operations is through a manual restart of the server. At the time of publication, no official patch is available .

dailycve form:

Platform: Sliver C2 framework
Version: 1.7.3 and prior
Vulnerability: NULL Pointer Dereference
Severity: MEDIUM (CVSS 6.5)
Date: March 7, 2026

Prediction: Patch within 60 days

What Undercode Say:

Analytics

  • CVE ID: CVE-2026-29781
  • CWE: CWE-476 (NULL Pointer Dereference)
  • CVSS v3.1 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated implant)
  • Impact: High Availability impact, no Confidentiality/Integrity impact
  • Exploit Maturity: Proof-of-Concept (CVSS v4.0 E:P)

Bash Commands & Code Analysis

Check your Sliver server version
./sliver-server --version
Example: Find Sliver binaries and check version (Linux)
find / -name "sliver-server" -type f -exec {} --version \; 2>/dev/null
Example: Monitor for crashes (if server is running as a systemd service)
sudo journalctl -u sliver.service --since "1 hour ago" | grep -i panic
Example: Basic systemd service restart command (post-crash)
sudo systemctl restart sliver.service

Vulnerable Code Pattern (Conceptual Go Example):

// Vulnerable pseudo-code: No nil check before dereferencing nested field
func processMessage(msg SignedMessage) {
// If msg.ImplantConfig is nil, this line will cause a panic
implantID := msg.ImplantConfig.ID
fmt.Println("Processing implant:", implantID)
}
// Safe code with nil-pointer validation
func processMessageSafe(msg SignedMessage) {
if msg == nil || msg.ImplantConfig == nil {
log.Println("Received nil message or config, ignoring.")
return
}
implantID := msg.ImplantConfig.ID
fmt.Println("Processing implant:", implantID)
}

Exploit

  • Precondition: Attacker must possess valid implant credentials (post-authentication) .
  • Mechanism: Craft a signed Protobuf message where a required nested field (e.g., ImplantConfig) is omitted or set to null.
  • Transport: Send the malformed message via mTLS, WireGuard, or DNS channels.
  • Outcome: The server’s unmarshalling logic dereferences a nil pointer, causing an unhandled runtime panic and immediate process termination.

Protection from this CVE

  • Immediate Mitigation: As no patch exists, monitor server stability and implement automated restart scripts (e.g., systemd Restart=on-failure) to reduce downtime.
  • Code-Level Fix: The Sliver project must implement comprehensive nil-pointer checks in all Protobuf unmarshalling functions for all transport layers.
  • Defense in Depth: Apply generic panic recovery middleware to all network listeners (mTLS, WireGuard, DNS) similar to the HTTP layer’s implementation.

Impact

  • Infrastructure Kill-Switch: Successful exploitation instantly terminates the Sliver C2 server process .
  • Operational Disruption: All active C2 sessions (implants) and operator connections are severed immediately.
  • Service Restoration: Requires a manual restart of the server, causing significant downtime for red team operations.
  • Scope: Affects all versions from 1.7.3 and prior .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top