DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C279-989M-238F: GHSA-C279-989M-238F: Nil Pointer Dereference in Sliver C2 Reverse Tunnel Handler

#security #cve #cybersecurity #ghsa

GHSA-C279-989M-238F: Nil Pointer Dereference in Sliver C2 Reverse Tunnel Handler

Vulnerability ID: GHSA-C279-989M-238F
CVSS Score: 6.9
Published: 2026-03-29

A Nil Pointer Dereference vulnerability exists in the Sliver adversary emulation framework, specifically within the tunnelCloseHandler function. Authenticated operators or active implants can trigger a goroutine panic by attempting to close a reverse tunnel. This results in a localized denial-of-service condition and subsequent resource leakage.

TL;DR

Sliver versions <= 1.7.3 suffer from a nil pointer dereference in reverse tunnel closure logic, causing goroutine panics and memory leaks when an authenticated session requests a tunnel close.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Nil Pointer Dereference (CWE-476)
  • Attack Vector: Network (Authenticated Message Passing)
  • CVSS 4.0 Score: 6.9 (Medium)
  • CVSS 3.1 Score: 6.5 (Medium)
  • Impact: Denial of Service (Thread Level), Resource Leak
  • Exploit Status: Unweaponized / Functional Regression
  • KEV Status: Not Listed

Affected Systems

  • Sliver C2 Framework Server
  • Go Application Runtimes managing Sliver Implants
  • Sliver: <= 1.7.3 (Fixed in: Unpatched as of publication)

Mitigation Strategies

  • Apply the source code patch correcting the variable reference in server/handlers/sessions.go.
  • Monitor Sliver server logs for panic events containing invalid memory address or nil pointer dereference.
  • Restrict network access to the Sliver management interface to trusted operators only.
  • Limit the use of rportfwd (reverse tunnels) until the server software is patched.

Remediation Steps:

  1. Locate the Sliver source code directory on the build server.
  2. Open server/handlers/sessions.go and navigate to the tunnelCloseHandler function (approximately line 172).
  3. Replace all instances of tunnel.SessionID with rtunnel.SessionID within the reverse tunnel else block.
  4. Recompile the Sliver server binary using the make command or standard Go build procedures.
  5. Restart the Sliver server service to load the patched binary and clear any orphaned tunnel metadata from memory.

References

Read the full report for GHSA-C279-989M-238F on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)