Search
Find a vulnerability
Search criteria
1298 vulnerabilities found for FreeBSD by FreeBSD
CVE-2026-49416 (GCVE-0-2026-49416)
Vulnerability from nvd – Published: 2026-06-27 09:25 – Updated: 2026-06-30 03:55
VLAI
Title
Integer overflow in vt(4) CONS_HISTORY ioctl
Summary
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.
An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:30.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"vt"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.\n\nAn unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:25:12.443Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:34.vt.asc"
}
],
"title": "Integer overflow in vt(4) CONS_HISTORY ioctl",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49416",
"datePublished": "2026-06-27T09:25:12.443Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:30.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49414 (GCVE-0-2026-49414)
Vulnerability from nvd – Published: 2026-06-27 09:22 – Updated: 2026-06-29 13:04
VLAI
Title
ASLR bypass for setuid executables via procctl(2)
Summary
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-179 - Incorrect Behavior Order: Early Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:04:41.634759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:04:45.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"elf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.\n\nAn unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-179",
"description": "CWE-179: Incorrect Behavior Order: Early Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:22:23.307Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc"
}
],
"title": "ASLR bypass for setuid executables via procctl(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49414",
"datePublished": "2026-06-27T09:22:23.307Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:04:45.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49417 (GCVE-0-2026-49417)
Vulnerability from nvd – Published: 2026-06-27 08:48 – Updated: 2026-06-30 03:55
VLAI
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:26.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, Liyw979, Rob1n"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:48:30.991Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49417",
"datePublished": "2026-06-27T08:48:30.991Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:26.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49413 (GCVE-0-2026-49413)
Vulnerability from nvd – Published: 2026-06-27 09:08 – Updated: 2026-06-29 13:05
VLAI
Title
Flaw in Linuxulator execution of setugid binaries
Summary
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.
An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:05:31.678040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:05:38.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"linux"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Minseong Kim of NSHC Red Alert Labs"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.\n\nAn unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:08:23.756Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:30.linux.asc"
}
],
"title": "Flaw in Linuxulator execution of setugid binaries",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49413",
"datePublished": "2026-06-27T09:08:23.756Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:05:38.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49412 (GCVE-0-2026-49412)
Vulnerability from nvd – Published: 2026-06-27 09:02 – Updated: 2026-06-30 03:55
VLAI
Title
Use-after-free bug in the IPV6_MSFILTER socket option handler
Summary
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.
An unprivileged local user can exploit this use-after-free to escalate privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:29.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ip6_multicast"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrew Griffiths at Calif.io"
},
{
"lang": "en",
"type": "finder",
"value": "Maik M\u00fcnch"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.\n\nAn unprivileged local user can exploit this use-after-free to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:02:55.482Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc"
}
],
"title": "Use-after-free bug in the IPV6_MSFILTER socket option handler",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49412",
"datePublished": "2026-06-27T09:02:55.482Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:29.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45259 (GCVE-0-2026-45259)
Vulnerability from nvd – Published: 2026-06-27 08:59 – Updated: 2026-06-29 13:10
VLAI
Title
sigqueue(2) missing capability mode restriction
Summary
sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.
A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:10:36.202760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:10:40.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"capsicum"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process\u0027s own PID.\n\nA process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:59:17.853Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc"
}
],
"title": "sigqueue(2) missing capability mode restriction",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45259",
"datePublished": "2026-06-27T08:59:17.853Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-29T13:10:40.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45258 (GCVE-0-2026-45258)
Vulnerability from nvd – Published: 2026-06-27 08:50 – Updated: 2026-06-30 03:55
VLAI
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:27.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, ch0wn, zer0duck"
},
{
"lang": "en",
"type": "finder",
"value": "Emmanuel Genier from Quarkslab"
},
{
"lang": "en",
"type": "finder",
"value": "Hazley Samsudin of GovTech CSG"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-681",
"description": "CWE-681 Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:50:56.185Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45258",
"datePublished": "2026-06-27T08:50:56.185Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-30T03:55:27.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45257 (GCVE-0-2026-45257)
Vulnerability from nvd – Published: 2026-06-26 14:50 – Updated: 2026-06-27 03:55
VLAI
Title
Arbitrary file overwrite via the KTLS receive path
Summary
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.
An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| https://www.heise.de/en/news/FreeBSD-Privilege-Es… | third-party-advisoryexploit |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T14:57:59.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/21"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T03:55:21.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ktls"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bumsrakete"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver\u0027s decryption path unchanged. Decrypting a record in place then overwrites the backing file\u0027s page cache instead of a private copy of the data.\n\nAn unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:50:27.157Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc"
}
],
"title": "Arbitrary file overwrite via the KTLS receive path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45257",
"datePublished": "2026-06-26T14:50:27.157Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-27T03:55:21.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45256 (GCVE-0-2026-45256)
Vulnerability from nvd – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:30
VLAI
Title
Missing permission check in thr_kill2(2)
Summary
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.
The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.
An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:29:58.924156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:30:02.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"thr"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Igor Gabriel Sousa e Souza"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.\n\nThe missing check allows an unprivileged local user who knows or can guess a target\u0027s process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.\n\nAn attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:43:22.674Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc"
}
],
"title": "Missing permission check in thr_kill2(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45256",
"datePublished": "2026-06-26T14:43:22.674Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-26T15:30:02.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45255 (GCVE-0-2026-45255)
Vulnerability from nvd – Published: 2026-05-21 09:27 – Updated: 2026-05-22 03:55
VLAI
Title
Remote code execution via installer Wi-Fi access point scans
Summary
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.
The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:39.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bsdinstall"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Austin Ralls"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.\n\nThe problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:27:20.431Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc"
}
],
"title": "Remote code execution via installer Wi-Fi access point scans",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45255",
"datePublished": "2026-05-21T09:27:20.431Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:39.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45254 (GCVE-0-2026-45254)
Vulnerability from nvd – Published: 2026-05-21 09:34 – Updated: 2026-05-21 14:37
VLAI
Title
Incorrect libcap_net limitation list manipulation
Summary
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected.
In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:35:55.800907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:37:03.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcap_net"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as \"allow any\" instead of being rejected.\n\nIn certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:34:37.541Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc"
}
],
"title": "Incorrect libcap_net limitation list manipulation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45254",
"datePublished": "2026-05-21T09:34:37.541Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-21T14:37:03.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45253 (GCVE-0-2026-45253)
Vulnerability from nvd – Published: 2026-05-21 09:17 – Updated: 2026-05-22 03:55
VLAI
Title
Missing validation in ptrace(PT_SC_REMOTE)
Summary
ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.
The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:37.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ptrace"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan at Calif.io"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.\n\nThe missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:17:29.232Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc"
}
],
"title": "Missing validation in ptrace(PT_SC_REMOTE)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45253",
"datePublished": "2026-05-21T09:17:29.232Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:37.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45252 (GCVE-0-2026-45252)
Vulnerability from nvd – Published: 2026-05-21 09:08 – Updated: 2026-05-21 13:47
VLAI
Title
Heap overflow in FUSE_LISTXATTR
Summary
When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.
If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:46:56.283986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:47:03.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"fusefs"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.\n\nIf a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:08:00.478Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc"
}
],
"title": "Heap overflow in FUSE_LISTXATTR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45252",
"datePublished": "2026-05-21T09:08:00.478Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-21T13:47:03.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45251 (GCVE-0-2026-45251)
Vulnerability from nvd – Published: 2026-05-21 09:04 – Updated: 2026-05-22 03:55
VLAI
Title
Kernel use-after-free via file descriptor syscalls
Summary
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.
In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.
The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:35.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"file"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "75Acol, Lexpl0it, fcgboy, and robinzeng2015"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan at Calif.io"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.\n\nIn the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.\n\nThe use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:04:52.569Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc"
}
],
"title": "Kernel use-after-free via file descriptor syscalls",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45251",
"datePublished": "2026-05-21T09:04:52.569Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:35.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39461 (GCVE-0-2026-39461)
Vulnerability from nvd – Published: 2026-05-21 09:20 – Updated: 2026-05-22 03:55
VLAI
Title
select(2) file descriptor set overflow causes stack overflow
Summary
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:38.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcasper"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)\u0027s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:20:26.126Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc"
}
],
"title": "select(2) file descriptor set overflow causes stack overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-39461",
"datePublished": "2026-05-21T09:20:26.126Z",
"dateReserved": "2026-04-28T15:08:10.637Z",
"dateUpdated": "2026-05-22T03:55:38.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45250 (GCVE-0-2026-45250)
Vulnerability from nvd – Published: 2026-05-21 08:37 – Updated: 2026-05-22 07:11
VLAI
Title
Stack buffer overflow via setcred(2)
Summary
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.
Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:34.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-22T07:11:47.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/22/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"setcred"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan of Calif.io"
},
{
"lang": "en",
"type": "finder",
"value": "Przemyslaw Frasunek"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.\n\nBecause the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T08:37:17.553Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc"
}
],
"title": "Stack buffer overflow via setcred(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45250",
"datePublished": "2026-05-21T08:37:17.553Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T07:11:47.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49416 (GCVE-0-2026-49416)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:25 – Updated: 2026-06-30 03:55
VLAI
Title
Integer overflow in vt(4) CONS_HISTORY ioctl
Summary
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.
An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:30.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"vt"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.\n\nAn unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:25:12.443Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:34.vt.asc"
}
],
"title": "Integer overflow in vt(4) CONS_HISTORY ioctl",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49416",
"datePublished": "2026-06-27T09:25:12.443Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:30.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49414 (GCVE-0-2026-49414)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:22 – Updated: 2026-06-29 13:04
VLAI
Title
ASLR bypass for setuid executables via procctl(2)
Summary
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-179 - Incorrect Behavior Order: Early Validation
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:04:41.634759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:04:45.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"elf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.\n\nAn unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-179",
"description": "CWE-179: Incorrect Behavior Order: Early Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:22:23.307Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc"
}
],
"title": "ASLR bypass for setuid executables via procctl(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49414",
"datePublished": "2026-06-27T09:22:23.307Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:04:45.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49413 (GCVE-0-2026-49413)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:08 – Updated: 2026-06-29 13:05
VLAI
Title
Flaw in Linuxulator execution of setugid binaries
Summary
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.
An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:05:31.678040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:05:38.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"linux"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Minseong Kim of NSHC Red Alert Labs"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.\n\nAn unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:08:23.756Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:30.linux.asc"
}
],
"title": "Flaw in Linuxulator execution of setugid binaries",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49413",
"datePublished": "2026-06-27T09:08:23.756Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:05:38.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49412 (GCVE-0-2026-49412)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:02 – Updated: 2026-06-30 03:55
VLAI
Title
Use-after-free bug in the IPV6_MSFILTER socket option handler
Summary
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.
An unprivileged local user can exploit this use-after-free to escalate privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:29.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ip6_multicast"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrew Griffiths at Calif.io"
},
{
"lang": "en",
"type": "finder",
"value": "Maik M\u00fcnch"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.\n\nAn unprivileged local user can exploit this use-after-free to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:02:55.482Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc"
}
],
"title": "Use-after-free bug in the IPV6_MSFILTER socket option handler",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49412",
"datePublished": "2026-06-27T09:02:55.482Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:29.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45259 (GCVE-0-2026-45259)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:59 – Updated: 2026-06-29 13:10
VLAI
Title
sigqueue(2) missing capability mode restriction
Summary
sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.
A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:10:36.202760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:10:40.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"capsicum"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process\u0027s own PID.\n\nA process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:59:17.853Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc"
}
],
"title": "sigqueue(2) missing capability mode restriction",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45259",
"datePublished": "2026-06-27T08:59:17.853Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-29T13:10:40.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45258 (GCVE-0-2026-45258)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:50 – Updated: 2026-06-30 03:55
VLAI
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:27.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, ch0wn, zer0duck"
},
{
"lang": "en",
"type": "finder",
"value": "Emmanuel Genier from Quarkslab"
},
{
"lang": "en",
"type": "finder",
"value": "Hazley Samsudin of GovTech CSG"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-681",
"description": "CWE-681 Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:50:56.185Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45258",
"datePublished": "2026-06-27T08:50:56.185Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-30T03:55:27.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49417 (GCVE-0-2026-49417)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:48 – Updated: 2026-06-30 03:55
VLAI
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:26.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, Liyw979, Rob1n"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:48:30.991Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49417",
"datePublished": "2026-06-27T08:48:30.991Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:26.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45257 (GCVE-0-2026-45257)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:50 – Updated: 2026-06-27 03:55
VLAI
Title
Arbitrary file overwrite via the KTLS receive path
Summary
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.
An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| http://www.openwall.com/lists/oss-security/2026/0… | |
| https://www.heise.de/en/news/FreeBSD-Privilege-Es… | third-party-advisoryexploit |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T14:57:59.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/21"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T03:55:21.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ktls"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bumsrakete"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver\u0027s decryption path unchanged. Decrypting a record in place then overwrites the backing file\u0027s page cache instead of a private copy of the data.\n\nAn unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:50:27.157Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc"
}
],
"title": "Arbitrary file overwrite via the KTLS receive path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45257",
"datePublished": "2026-06-26T14:50:27.157Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-27T03:55:21.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45256 (GCVE-0-2026-45256)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:30
VLAI
Title
Missing permission check in thr_kill2(2)
Summary
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.
The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.
An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-06-09 23:30
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:29:58.924156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:30:02.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"thr"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Igor Gabriel Sousa e Souza"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.\n\nThe missing check allows an unprivileged local user who knows or can guess a target\u0027s process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.\n\nAn attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:43:22.674Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc"
}
],
"title": "Missing permission check in thr_kill2(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45256",
"datePublished": "2026-06-26T14:43:22.674Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-26T15:30:02.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45254 (GCVE-0-2026-45254)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:34 – Updated: 2026-05-21 14:37
VLAI
Title
Incorrect libcap_net limitation list manipulation
Summary
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected.
In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:35:55.800907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:37:03.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcap_net"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as \"allow any\" instead of being rejected.\n\nIn certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:34:37.541Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc"
}
],
"title": "Incorrect libcap_net limitation list manipulation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45254",
"datePublished": "2026-05-21T09:34:37.541Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-21T14:37:03.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45255 (GCVE-0-2026-45255)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:27 – Updated: 2026-05-22 03:55
VLAI
Title
Remote code execution via installer Wi-Fi access point scans
Summary
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.
The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:39.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bsdinstall"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Austin Ralls"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.\n\nThe problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:27:20.431Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc"
}
],
"title": "Remote code execution via installer Wi-Fi access point scans",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45255",
"datePublished": "2026-05-21T09:27:20.431Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:39.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39461 (GCVE-0-2026-39461)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:20 – Updated: 2026-05-22 03:55
VLAI
Title
select(2) file descriptor set overflow causes stack overflow
Summary
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:38.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcasper"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)\u0027s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:20:26.126Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc"
}
],
"title": "select(2) file descriptor set overflow causes stack overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-39461",
"datePublished": "2026-05-21T09:20:26.126Z",
"dateReserved": "2026-04-28T15:08:10.637Z",
"dateUpdated": "2026-05-22T03:55:38.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45253 (GCVE-0-2026-45253)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:17 – Updated: 2026-05-22 03:55
VLAI
Title
Missing validation in ptrace(PT_SC_REMOTE)
Summary
ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.
The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.
Severity
8.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://security.freebsd.org/advisories/FreeBSD-S… | vendor-advisory |
Impacted products
Date Public
2026-05-20 23:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:37.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ptrace"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan at Calif.io"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.\n\nThe missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:17:29.232Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc"
}
],
"title": "Missing validation in ptrace(PT_SC_REMOTE)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45253",
"datePublished": "2026-05-21T09:17:29.232Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:37.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2026-AVI-0716
Vulnerability from certfr_avis - Published: 2026-06-10 - Updated: 2026-06-12
De multiples vulnérabilités ont été découvertes dans FreeBSD. Elles permettent à un attaquant de provoquer une élévation de privilèges.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| FreeBSD | FreeBSD | FreeBSD branche 14.4 versions antérieures à 14.4-n273719 | ||
| FreeBSD | FreeBSD | FreeBSD branche 14.3 versions antérieures à 14.3-n271519 | ||
| FreeBSD | FreeBSD | FreeBSD branche 14 versions antérieures à 14-n274315 | ||
| FreeBSD | FreeBSD | FreeBSD branche 15 versions antérieures à 15-n283886 | ||
| FreeBSD | FreeBSD | FreeBSD branche 15.1 versions antérieures à 15.1-n283555 | ||
| FreeBSD | FreeBSD | FreeBSD branche 15.0 versions antérieures à 15.0-n281057 |
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "FreeBSD branche 14.4 versions ant\u00e9rieures \u00e0 14.4-n273719",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
},
{
"description": "FreeBSD branche 14.3 versions ant\u00e9rieures \u00e0 14.3-n271519",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
},
{
"description": "FreeBSD branche 14 versions ant\u00e9rieures \u00e0 14-n274315",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
},
{
"description": "FreeBSD branche 15 versions ant\u00e9rieures \u00e0 15-n283886",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
},
{
"description": "FreeBSD branche 15.1 versions ant\u00e9rieures \u00e0 15.1-n283555",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
},
{
"description": "FreeBSD branche 15.0 versions ant\u00e9rieures \u00e0 15.0-n281057",
"product": {
"name": "FreeBSD",
"vendor": {
"name": "FreeBSD",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-45257",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-45257"
},
{
"name": "CVE-2026-49413",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-49413"
}
],
"initial_release_date": "2026-06-10T00:00:00",
"last_revision_date": "2026-06-12T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0716",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-06-10T00:00:00.000000"
},
{
"description": "Ajout du bulletin de s\u00e9curit\u00e9 FreeBSD FreeBSD-SA-26:26 du 9 juin 2026.",
"revision_date": "2026-06-12T00:00:00.000000"
}
],
"risks": [
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans FreeBSD. Elles permettent \u00e0 un attaquant de provoquer une \u00e9l\u00e9vation de privil\u00e8ges.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans FreeBSD",
"vendor_advisories": [
{
"published_at": "2026-06-09",
"title": "Bulletin de s\u00e9curit\u00e9 FreeBSD FreeBSD-SA-26:26",
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc"
},
{
"published_at": "2026-06-09",
"title": "Bulletin de s\u00e9curit\u00e9 FreeBSD FreeBSD-SA-26:30",
"url": "https://www.freebsd.org/security/advisories/FreeBSD-SA-26:30.linux.asc"
}
]
}