CVE-2026-29781

Name of the Vulnerable Software and Affected Versions Sliver versions prior to the fix

Description Sliver, a C2 server, contains a systemic lack of nil-pointer validation in its Protobuf unmarshalling logic. This allows an authenticated actor, by omitting nested fields in a signed message, to trigger an unhandled runtime panic. The mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, resulting in a global process termination. This effectively acts as an infrastructure "kill-switch," instantly severing all active sessions and requiring a manual server restart. The vulnerability stems from the architectural handling of Protobuf messages, where omitted nested sub-messages result in nil pointers. Accessing properties of these nil pointers triggers the panic. Multiple handlers across various components, including beacon registration, reverse tunneling, SOCKS proxying, and RPC functions, are susceptible. The impact of this vulnerability is total operational paralysis, as it causes a complete server crash, leading to global disconnection of sessions, potential persistence risks, and operator eviction. The vulnerability can be exploited by extracting valid implant credentials, which are often readily available in compromised environments.

Recommendations Implement strict validation for all nested Protobuf fields to ensure that handlers do not attempt to dereference nil pointers. Deprecate direct access to the Request metadata field in the gRPC interface and use safe accessors that handle missing metadata gracefully. Implement a supervisor pattern using Go's recover() mechanism in all multiplexed transports (mTLS, WireGuard, DNS) to catch runtime panics and prevent server crashes. Move towards automated schema validation using tools like protoc-gen-validate to enforce required fields and generate validation code.