CVE-2017-1000375
9.838.41%
NetBSD Stack Clash: When the Floor Becomes the Ceiling
Amit Schendel
Senior Security ResearcherJan 7, 2026·6 min read·4 visits
PoC Available
Executive Summary (TL;DR)
NetBSD mapped the dynamic linker directly below the stack. Attackers could allocate large buffers to 'jump' over the stack guard page and write directly into the linker's memory. This allows for reliable Local Privilege Escalation (LPE), effectively bypassing ASLR and stack protections.
A fundamental memory management flaw in NetBSD allowed the stack to collide with the dynamic linker (ld.so), bypassing guard pages and enabling arbitrary code execution. Part of the broader 'Stack Clash' research by Qualys.
Official Patches
Technical Appendix
CVSS Score
9.8/ 10
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEPSS Probability
38.41%
Top 3% most exploited
Affected Systems
NetBSD 7.1NetBSD (All versions prior to patch)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
NetBSD NetBSD | <= 7.1 | Subject to patch availability (Post-2017 updates) |
| Attribute | Detail |
|---|---|
| Attack Vector | Local (Stack manipulation) |
| CVSS v3.0 | 9.8 (Critical) |
| Bug Class | Stack Clash / Memory Corruption |
| Target Component | ld.so (Dynamic Linker) |
| Exploit Reliability | High (Deterministic memory layout) |
| EPSS Score | 38.41% |
MITRE ATT&CK Mapping
CWE-787
Out-of-bounds Write
Out-of-bounds Write
Known Exploits & Detection
Vulnerability Timeline
Qualys publishes Stack Clash research
2017-06-19
CVE-2017-1000375 assigned
2017-06-19
PoC published on Exploit-DB
2017-06-28