MNBSD-2026-56: Multiple Critical Security Vulnerabilities in msearch

Severity: Unknown

Affected Package: msearch

Summary: Multiple Critical Security Vulnerabilities in msearch

Description

Multiple critical security vulnerabilities have been discovered in the msearch file search utility and its library libmsearch in MidnightBSD. These vulnerabilities affect the file indexing and searching functionality and could allow attackers to execute arbitrary code, access unauthorized files, or cause denial of service. 1. SQL Injection (CWE-89) - msearch_index_exists() used undefined %Q format specifier in SQLite queries 2. Format String Injection (CWE-134) - msearch_search_bind() used snprintf() with user input in format string 3. Path Traversal (CWE-22, CWE-367) - msearch_index_path_file() allowed symlink bypass of directory checks 4. TOCTOU Race Condition (CWE-367) - msearch_index_file() had race between lstat() and file operations 5. Hardcoded Library Path (CWE-269) - msearch_fulltext_open() loaded extension from hardcoded path Arbitrary SQL query execution, arbitrary code execution, unauthorized file access, privilege escalation, or denial of service.

Affected Versions

msearch

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases:

Published: June 26, 2026
Last Modified: June 26, 2026