5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-29781

CVE-2026-29781: Sliver: Authenticated Nil-Pointer Dereference in Handlers

Sliver is a command and control framework that uses a custom Wireguard netstack. In versions from 1.7.3 and prior, a vulnerability exists in the Sliver C2 server's Protobuf unmarshalling logic due to a systemic lack of nil-pointer validation. By extracting valid implant credentials and omitting nested fields in a signed message, an authenticated actor can trigger an unhandled runtime panic. Because the mTLS, WireGuard, and DNS transport layers lack the panic recovery middleware present in the HTTP transport, this results in a global process termination. While requiring post-authentication access (a captured implant), this flaw effectively acts as an infrastructure "kill-switch," instantly severing all active sessions across the entire fleet and requiring a manual server restart to restore operations. At time of publication, there are no publicly available patches.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-29781

CVE-2026-29781:

5.3

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/bishopfox/sliver	go	<= 1.7.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a systemic nil-pointer dereference issue across multiple handlers in the Sliver C2 server. The root cause is the lack of validation after unmarshalling Protobuf messages. In Go, if a nested message field is omitted in a Protobuf message, it is represented as a nil pointer. The identified vulnerable functions directly access fields of these nested messages without first checking if the nested message itself is nil. An authenticated attacker can craft a message that omits these nested structures, causing a panic when the handler attempts to access a field on the nil pointer. For transports like mTLS, WireGuard, and DNS, this panic is unhandled and crashes the entire server process, resulting in a denial of service. The HTTP transport is not affected to the same degree because it has a built-in panic recovery mechanism.

Vulnerable functions

beaconRegisterHandler

server/handlers/beacons.go

The function unmarshals a `BeaconRegister` protobuf message but does not validate if the nested `Register` field is nil. A subsequent access to `beaconReg.Register.Uuid` will cause a nil-pointer dereference if the `Register` field is omitted in the request, leading to a panic.

createReverseTunnelHandler

server/handlers/sessions.go

The function attempts to access the `Rportfwd` field of a request without checking if it is nil. If the field is omitted, this results in a nil-pointer dereference and a server panic.

socksDataHandler

server/handlers/sessions.go

The function processes SOCKS proxy data and directly accesses the `SocksData` sub-message. If this sub-message is not present in the incoming data, it results in a nil-pointer dereference, causing the server to crash.

serverKeyExchange

server/handlers/pivot.go

This function handles peer-to-peer communication and accesses the `peerEnvelope.Peers` list. It does not check if the list is nil, leading to a panic if the peer list is not included in the message.

peersToString

server/handlers/pivot.go

This function is used for logging and debugging peer information. It dereferences the `peerEnvelope.Peers` list without a nil check, which can cause a panic if the list is not present.

getTimeout

server/rpc/rpc.go

This gRPC handler accesses the `Timeout` field from a nested `Request` object. If the `Request` object is nil, this will cause a nil-pointer dereference.

getError

server/rpc/rpc.go

This gRPC handler accesses the `Err` field from a nested `Response` object. If the `Response` object is nil, this will cause a nil-pointer dereference.

Portfwd

server/rpc/rpc-portfwd.go

This gRPC handler for port forwarding accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

GetSystem

server/rpc/rpc-priv.go

This gRPC handler accesses `req.GetRequest().SessionID` without a nil check on `req.GetRequest()`, which can lead to a panic.

GetPrivileges

server/rpc/rpc-priv.go

This gRPC handler accesses `req.Request.SessionID` without a nil check on `req.Request`, which can lead to a panic.

NetConnPivot

server/rpc/rpc-pivot.go

This gRPC handler for network connection pivoting accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

PivotListeners

server/rpc/rpc-pivot.go

This gRPC handler for pivot listeners accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

SocksStart

server/rpc/rpc-socks.go

This gRPC handler for starting a SOCKS proxy accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

SocksStop

server/rpc/rpc-socks.go

This gRPC handler for stopping a SOCKS proxy accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

RPortfwd

server/rpc/rpc-rportfwd.go

This gRPC handler for reverse port forwarding accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

Shell

server/rpc/rpc-shell.go

This gRPC handler for shell sessions accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

ShellResize

server/rpc/rpc-shell.go

This gRPC handler for resizing a shell accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

BackdoorImplant

server/rpc/rpc-backdoor.go

This gRPC handler for backdooring an implant accesses `req.Request.SessionID` and `req.Request.Timeout` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

CrackstationTrigger

server/rpc/rpc-crackstations.go

This gRPC handler unmarshals data into a `statusUpdate` object and then accesses `statusUpdate.HostUUID` without checking if the object or its fields are nil.

Tasks

server/rpc/rpc-tasks.go

This gRPC handler for managing tasks accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

ImplantReconfig

server/rpc/rpc-reconfig.go

This gRPC handler for reconfiguring an implant accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

MsfInject

server/rpc/rpc-msf.go

This gRPC handler for Metasploit injection accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

Hijack

server/rpc/rpc-hijack.go

This gRPC handler for hijacking a session accesses `req.Request.SessionID` without checking if `req.Request` is nil, making it vulnerable to a nil-pointer dereference.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.