Search criteria
232 vulnerabilities
CVE-2026-49416 (GCVE-0-2026-49416)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:25 – Updated: 2026-06-30 03:55
VLAI?
Title
Integer overflow in vt(4) CONS_HISTORY ioctl
Summary
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.
An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.
Severity ?
7.8 (High)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Ed Maste
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49416",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:30.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"vt"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.\n\nAn unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:25:12.443Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:34.vt.asc"
}
],
"title": "Integer overflow in vt(4) CONS_HISTORY ioctl",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49416",
"datePublished": "2026-06-27T09:25:12.443Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:30.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49414 (GCVE-0-2026-49414)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:22 – Updated: 2026-06-29 13:04
VLAI?
Title
ASLR bypass for setuid executables via procctl(2)
Summary
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
Severity ?
7.8 (High)
CWE
- CWE-179 - Incorrect Behavior Order: Early Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Synacktiv
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49414",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:04:41.634759Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:04:45.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"elf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Synacktiv"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.\n\nAn unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-179",
"description": "CWE-179: Incorrect Behavior Order: Early Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:22:23.307Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc"
}
],
"title": "ASLR bypass for setuid executables via procctl(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49414",
"datePublished": "2026-06-27T09:22:23.307Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:04:45.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49413 (GCVE-0-2026-49413)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:08 – Updated: 2026-06-29 13:05
VLAI?
Title
Flaw in Linuxulator execution of setugid binaries
Summary
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.
An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Severity ?
7.1 (High)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Minseong Kim of NSHC Red Alert Labs
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49413",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:05:31.678040Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:05:38.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"linux"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Minseong Kim of NSHC Red Alert Labs"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.\n\nAn unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:08:23.756Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:30.linux.asc"
}
],
"title": "Flaw in Linuxulator execution of setugid binaries",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49413",
"datePublished": "2026-06-27T09:08:23.756Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-29T13:05:38.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49412 (GCVE-0-2026-49412)
Vulnerability from cvelistv5 – Published: 2026-06-27 09:02 – Updated: 2026-06-30 03:55
VLAI?
Title
Use-after-free bug in the IPV6_MSFILTER socket option handler
Summary
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.
An unprivileged local user can exploit this use-after-free to escalate privileges.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Andrew Griffiths at Calif.io
Maik Münch
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49412",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:29.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ip6_multicast"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrew Griffiths at Calif.io"
},
{
"lang": "en",
"type": "finder",
"value": "Maik M\u00fcnch"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.\n\nAn unprivileged local user can exploit this use-after-free to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T09:02:55.482Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc"
}
],
"title": "Use-after-free bug in the IPV6_MSFILTER socket option handler",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49412",
"datePublished": "2026-06-27T09:02:55.482Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:29.049Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45259 (GCVE-0-2026-45259)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:59 – Updated: 2026-06-29 13:10
VLAI?
Title
sigqueue(2) missing capability mode restriction
Summary
sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.
A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.
Severity ?
6.5 (Medium)
CWE
- CWE-266 - Incorrect Privilege Assignment
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Ed Maste
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45259",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:10:36.202760Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:10:40.990Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"capsicum"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ed Maste"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process\u0027s own PID.\n\nA process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "CWE-266: Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:59:17.853Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc"
}
],
"title": "sigqueue(2) missing capability mode restriction",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45259",
"datePublished": "2026-06-27T08:59:17.853Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-29T13:10:40.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45258 (GCVE-0-2026-45258)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:50 – Updated: 2026-06-30 03:55
VLAI?
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity ?
7.8 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Lexpl0it, 75Acol, ch0wn, zer0duck
Emmanuel Genier from Quarkslab
Hazley Samsudin of GovTech CSG
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:27.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, ch0wn, zer0duck"
},
{
"lang": "en",
"type": "finder",
"value": "Emmanuel Genier from Quarkslab"
},
{
"lang": "en",
"type": "finder",
"value": "Hazley Samsudin of GovTech CSG"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-681",
"description": "CWE-681 Incorrect Conversion between Numeric Types",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:50:56.185Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45258",
"datePublished": "2026-06-27T08:50:56.185Z",
"dateReserved": "2026-05-11T16:27:44.892Z",
"dateUpdated": "2026-06-30T03:55:27.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-49417 (GCVE-0-2026-49417)
Vulnerability from cvelistv5 – Published: 2026-06-27 08:48 – Updated: 2026-06-30 03:55
VLAI?
Title
Multiple vulnerabilities in the sound(4) mmap path
Summary
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.
The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Severity ?
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Lexpl0it, 75Acol, Liyw979, Rob1n
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-49417",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T03:55:26.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"sound"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lexpl0it, 75Acol, Liyw979, Rob1n"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping.\n\nThe /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T08:48:30.991Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc"
}
],
"title": "Multiple vulnerabilities in the sound(4) mmap path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-49417",
"datePublished": "2026-06-27T08:48:30.991Z",
"dateReserved": "2026-05-29T20:24:28.615Z",
"dateUpdated": "2026-06-30T03:55:26.483Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45257 (GCVE-0-2026-45257)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:50 – Updated: 2026-06-27 03:55
VLAI?
Title
Arbitrary file overwrite via the KTLS receive path
Summary
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.
An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Severity ?
7.8 (High)
CWE
- CWE-123 - Write-what-where Condition
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Bumsrakete
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-26T14:57:59.851Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/20"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/10/21"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-27T03:55:21.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ktls"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bumsrakete"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver\u0027s decryption path unchanged. Decrypting a record in place then overwrites the backing file\u0027s page cache instead of a private copy of the data.\n\nAn unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-123",
"description": "CWE-123 Write-what-where Condition",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:50:27.157Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc"
}
],
"title": "Arbitrary file overwrite via the KTLS receive path",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45257",
"datePublished": "2026-06-26T14:50:27.157Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-27T03:55:21.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45256 (GCVE-0-2026-45256)
Vulnerability from cvelistv5 – Published: 2026-06-26 14:43 – Updated: 2026-06-26 15:30
VLAI?
Title
Missing permission check in thr_kill2(2)
Summary
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.
The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.
An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
Severity ?
5.5 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Igor Gabriel Sousa e Souza
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45256",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T15:29:58.924156Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T15:30:02.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"thr"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p10",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p6",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p15",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Igor Gabriel Sousa e Souza"
}
],
"datePublic": "2026-06-09T23:30:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.\n\nThe missing check allows an unprivileged local user who knows or can guess a target\u0027s process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.\n\nAn attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T14:43:22.674Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc"
}
],
"title": "Missing permission check in thr_kill2(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45256",
"datePublished": "2026-06-26T14:43:22.674Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-06-26T15:30:02.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45254 (GCVE-0-2026-45254)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:34 – Updated: 2026-05-21 14:37
VLAI?
Title
Incorrect libcap_net limitation list manipulation
Summary
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected.
In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
Severity ?
6.5 (Medium)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T14:35:55.800907Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T14:37:03.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcap_net"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as \"allow any\" instead of being rejected.\n\nIn certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:34:37.541Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc"
}
],
"title": "Incorrect libcap_net limitation list manipulation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45254",
"datePublished": "2026-05-21T09:34:37.541Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-21T14:37:03.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45255 (GCVE-0-2026-45255)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:27 – Updated: 2026-05-22 03:55
VLAI?
Title
Remote code execution via installer Wi-Fi access point scans
Summary
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.
The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
Severity ?
7.5 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Austin Ralls
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45255",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:39.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"bsdinstall"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Austin Ralls"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell.\n\nThe problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:27:20.431Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc"
}
],
"title": "Remote code execution via installer Wi-Fi access point scans",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45255",
"datePublished": "2026-05-21T09:27:20.431Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:39.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39461 (GCVE-0-2026-39461)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:20 – Updated: 2026-05-22 03:55
VLAI?
Title
select(2) file descriptor set overflow causes stack overflow
Summary
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
Severity ?
8.8 (High)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:38.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libcasper"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)\u0027s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:20:26.126Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc"
}
],
"title": "select(2) file descriptor set overflow causes stack overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-39461",
"datePublished": "2026-05-21T09:20:26.126Z",
"dateReserved": "2026-04-28T15:08:10.637Z",
"dateUpdated": "2026-05-22T03:55:38.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45253 (GCVE-0-2026-45253)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:17 – Updated: 2026-05-22 03:55
VLAI?
Title
Missing validation in ptrace(PT_SC_REMOTE)
Summary
ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.
The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.
Severity ?
8.4 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Ryan at Calif.io
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45253",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:37.047Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ptrace"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan at Calif.io"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.\n\nThe missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:17:29.232Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc"
}
],
"title": "Missing validation in ptrace(PT_SC_REMOTE)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45253",
"datePublished": "2026-05-21T09:17:29.232Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:37.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45252 (GCVE-0-2026-45252)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:08 – Updated: 2026-05-21 13:47
VLAI?
Title
Heap overflow in FUSE_LISTXATTR
Summary
When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.
If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space.
Severity ?
5.5 (Medium)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T13:46:56.283986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:47:03.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"fusefs"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated.\n\nIf a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:08:00.478Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc"
}
],
"title": "Heap overflow in FUSE_LISTXATTR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45252",
"datePublished": "2026-05-21T09:08:00.478Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-21T13:47:03.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45251 (GCVE-0-2026-45251)
Vulnerability from cvelistv5 – Published: 2026-05-21 09:04 – Updated: 2026-05-22 03:55
VLAI?
Title
Kernel use-after-free via file descriptor syscalls
Summary
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.
In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.
The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Severity ?
7.8 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
75Acol, Lexpl0it, fcgboy, and robinzeng2015
Ryan at Calif.io
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:35.943Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"file"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "75Acol, Lexpl0it, fcgboy, and robinzeng2015"
},
{
"lang": "en",
"type": "finder",
"value": "Ryan at Calif.io"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.\n\nIn the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.\n\nThe use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T09:04:52.569Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc"
}
],
"title": "Kernel use-after-free via file descriptor syscalls",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45251",
"datePublished": "2026-05-21T09:04:52.569Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T03:55:35.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45250 (GCVE-0-2026-45250)
Vulnerability from cvelistv5 – Published: 2026-05-21 08:37 – Updated: 2026-05-22 07:11
VLAI?
Title
Stack buffer overflow via setcred(2)
Summary
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.
Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Severity ?
7.8 (High)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Ryan of Calif.io
Przemyslaw Frasunek
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-45250",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T03:55:34.899Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-22T07:11:47.863Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/21/18"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/22/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"setcred"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p9",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p5",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p14",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan of Calif.io"
},
{
"lang": "en",
"type": "finder",
"value": "Przemyslaw Frasunek"
}
],
"datePublic": "2026-05-20T23:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.\n\nBecause the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T08:37:17.553Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc"
}
],
"title": "Stack buffer overflow via setcred(2)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-45250",
"datePublished": "2026-05-21T08:37:17.553Z",
"dateReserved": "2026-05-11T16:27:44.891Z",
"dateUpdated": "2026-05-22T07:11:47.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35547 (GCVE-0-2026-35547)
Vulnerability from cvelistv5 – Published: 2026-04-30 08:08 – Updated: 2026-05-01 15:26
VLAI?
Title
Heap overflow in libnv
Summary
When processing the header of an incoming message, libnv failed to properly validate the message size.
The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Mariusz Zaborski
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-35547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T03:55:50.905074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T15:26:28.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libnv"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mariusz Zaborski"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When processing the header of an incoming message, libnv failed to properly validate the message size.\n\nThe lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-130",
"description": "CWE-130: Improper Handling of Length Parameter Inconsistency",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T08:08:13.461Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc"
}
],
"title": "Heap overflow in libnv",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-35547",
"datePublished": "2026-04-30T08:08:13.461Z",
"dateReserved": "2026-04-28T15:08:10.642Z",
"dateUpdated": "2026-05-01T15:26:28.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39457 (GCVE-0-2026-39457)
Vulnerability from cvelistv5 – Published: 2026-04-30 08:01 – Updated: 2026-05-01 03:55
VLAI?
Title
Stack overflow via select() file descriptor set overflow
Summary
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024).
An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Severity ?
7.8 (High)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T03:55:51.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"libnv"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)\u0027s file descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T08:01:49.015Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc"
}
],
"title": "Stack overflow via select() file descriptor set overflow",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-39457",
"datePublished": "2026-04-30T08:01:49.015Z",
"dateReserved": "2026-04-28T15:08:10.626Z",
"dateUpdated": "2026-05-01T03:55:51.194Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42512 (GCVE-0-2026-42512)
Vulnerability from cvelistv5 – Published: 2026-04-30 07:58 – Updated: 2026-05-01 15:26
VLAI?
Title
Remotely triggerable out-of-bounds heap write in dhclient
Summary
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.
A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
Severity ?
8.1 (High)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42512",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T03:55:53.107126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T15:26:06.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"dhclient"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.\n\nA specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T07:58:37.145Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:15.dhclient.asc"
}
],
"title": "Remotely triggerable out-of-bounds heap write in dhclient",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-42512",
"datePublished": "2026-04-30T07:58:37.145Z",
"dateReserved": "2026-04-28T05:31:44.956Z",
"dateUpdated": "2026-05-01T15:26:06.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7164 (GCVE-0-2026-7164)
Vulnerability from cvelistv5 – Published: 2026-04-30 07:23 – Updated: 2026-04-30 13:09
VLAI?
Title
pf can overflow the stack parsing crafted SCTP packets
Summary
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.
Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Igor Gabriel Sousa e Souza
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7164",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T13:08:52.241699Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T13:09:07.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"pf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Igor Gabriel Sousa e Souza"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.\n\nRemote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674: Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-791",
"description": "CWE-791: Incomplete Filtering of Special Elements",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T07:23:52.601Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:14.pf.asc"
}
],
"title": "pf can overflow the stack parsing crafted SCTP packets",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-7164",
"datePublished": "2026-04-30T07:23:52.601Z",
"dateReserved": "2026-04-27T06:03:58.316Z",
"dateUpdated": "2026-04-30T13:09:07.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7270 (GCVE-0-2026-7270)
Vulnerability from cvelistv5 – Published: 2026-04-30 07:02 – Updated: 2026-05-10 06:55
VLAI?
Title
Local privilege escalation via execve()
Summary
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.
The bug may be exploitable by an unprivileged user to obtain superuser privileges.
Severity ?
7.8 (High)
CWE
- CWE-783 - Operator Precedence Logic Error
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Ryan Austin of Calif.io
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-30T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T03:55:53.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-05-10T06:55:17.771Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsd"
},
{
"url": "https://news.ycombinator.com/item?id=48077971"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"kernel"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Austin of Calif.io"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.\n\nThe bug may be exploitable by an unprivileged user to obtain superuser privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-783",
"description": "CWE-783: Operator Precedence Logic Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T07:02:48.276Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc"
}
],
"title": "Local privilege escalation via execve()",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-7270",
"datePublished": "2026-04-30T07:02:48.276Z",
"dateReserved": "2026-04-28T05:26:31.296Z",
"dateUpdated": "2026-05-10T06:55:17.771Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42511 (GCVE-0-2026-42511)
Vulnerability from cvelistv5 – Published: 2026-04-30 06:56 – Updated: 2026-05-01 15:25
VLAI?
Title
Remote code execution via malicious DHCP options
Summary
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.
A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Severity ?
8.1 (High)
CWE
- CWE-149 - Improper Neutralization of Quoting Syntax
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Joshua Rogers of AISLE Research Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-01T03:55:55.336127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-01T15:25:37.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"dhclient"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p3",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p13",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers of AISLE Research Team"
}
],
"datePublic": "2026-04-29T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.\n\nA rogue DHCP server may be able to execute arbirary code as root on a system running dhclient."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-149",
"description": "CWE-149: Improper Neutralization of Quoting Syntax",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-30T06:56:36.929Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc"
}
],
"title": "Remote code execution via malicious DHCP options",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-42511",
"datePublished": "2026-04-30T06:56:36.929Z",
"dateReserved": "2026-04-28T05:31:44.956Z",
"dateUpdated": "2026-05-01T15:25:37.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6386 (GCVE-0-2026-6386)
Vulnerability from cvelistv5 – Published: 2026-04-22 02:33 – Updated: 2026-04-22 14:32
VLAI?
Title
Missing large page handling in pmap_pkru_update_range()
Summary
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
Severity ?
6.2 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Nicholas Carlini using Claude, Anthropic
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-6386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:26:42.409167Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:32:53.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"amd64"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p11",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Carlini using Claude, Anthropic"
}
],
"datePublic": "2026-04-21T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.\n\nThe bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T02:33:24.846Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc"
}
],
"title": "Missing large page handling in pmap_pkru_update_range()"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-6386",
"datePublished": "2026-04-22T02:33:24.846Z",
"dateReserved": "2026-04-15T19:18:20.083Z",
"dateUpdated": "2026-04-22T14:32:53.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5398 (GCVE-0-2026-5398)
Vulnerability from cvelistv5 – Published: 2026-04-22 02:23 – Updated: 2026-04-23 03:56
VLAI?
Title
Kernel use-after-free bug in the TIOCNOTTY handler
Summary
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.
A malicious process can abuse the dangling pointer to grant itself root privileges.
Severity ?
8.4 (High)
CWE
- CWE-416 - Use After Free
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Nicholas Carlini using Claude, Anthropic
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T03:56:10.203Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"tty"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p6",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p2",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p11",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p12",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Carlini using Claude, Anthropic"
}
],
"datePublic": "2026-04-21T18:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process\u0027 session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.\n\nA malicious process can abuse the dangling pointer to grant itself root privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T02:23:56.767Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc"
}
],
"title": "Kernel use-after-free bug in the TIOCNOTTY handler"
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-5398",
"datePublished": "2026-04-22T02:23:56.767Z",
"dateReserved": "2026-04-02T01:48:17.131Z",
"dateUpdated": "2026-04-23T03:56:10.203Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4748 (GCVE-0-2026-4748)
Vulnerability from cvelistv5 – Published: 2026-04-01 06:18 – Updated: 2026-04-01 14:56
VLAI?
Title
pf silently ignores certain rules
Summary
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.
Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.
Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
Severity ?
7.5 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Michael Gmelin
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:55:44.105033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:56:02.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"pf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p10",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Gmelin"
}
],
"datePublic": "2026-03-26T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.\n\nSome keywords representing actions taken on a packet-matching rule, such as \u0027log\u0027, \u0027return tll\u0027, or \u0027dnpipe\u0027, may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.\n\nAffected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-480",
"description": "CWE-480: Use of Incorrect Operator",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-1023",
"description": "CWE-1023: Incomplete Comparison with Missing Factors",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T06:18:52.097Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc"
}
],
"title": "pf silently ignores certain rules",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-4748",
"datePublished": "2026-04-01T06:18:52.097Z",
"dateReserved": "2026-03-24T04:14:17.566Z",
"dateUpdated": "2026-04-01T14:56:02.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4747 (GCVE-0-2026-4747)
Vulnerability from cvelistv5 – Published: 2026-03-26 06:21 – Updated: 2026-04-02 03:55
VLAI?
Title
Remote code execution via RPCSEC_GSS packet validation
Summary
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
Severity ?
8.8 (High)
CWE
- CWE-121 - Stack-based Buffer Overflow
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Nicholas Carlini using Claude, Anthropic
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4747",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T03:55:35.253Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/exploit.py"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-04-01T14:07:04.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"rpcsec_gss"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p10",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p11",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicholas Carlini using Claude, Anthropic"
}
],
"datePublic": "2026-03-26T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko\u0027s RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel\u0027s NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T06:21:12.735Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"
}
],
"title": "Remote code execution via RPCSEC_GSS packet validation",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-4747",
"datePublished": "2026-03-26T06:21:12.735Z",
"dateReserved": "2026-03-24T03:57:38.500Z",
"dateUpdated": "2026-04-02T03:55:35.253Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4652 (GCVE-0-2026-4652)
Vulnerability from cvelistv5 – Published: 2026-03-26 06:15 – Updated: 2026-03-26 13:31
VLAI?
Title
Remote denial of service via null pointer dereference
Summary
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.
An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine.
Severity ?
7.5 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Nikolay Denev <ndenev@gmail.com>
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4652",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T13:31:21.926248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T13:31:31.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"nvmf"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nikolay Denev \u003cndenev@gmail.com\u003e"
}
],
"datePublic": "2026-03-26T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.\n\nAn attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T06:15:00.850Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc"
}
],
"title": "Remote denial of service via null pointer dereference",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-4652",
"datePublished": "2026-03-26T06:15:00.850Z",
"dateReserved": "2026-03-23T14:35:04.472Z",
"dateUpdated": "2026-03-26T13:31:31.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4247 (GCVE-0-2026-4247)
Vulnerability from cvelistv5 – Published: 2026-03-26 06:09 – Updated: 2026-03-26 14:41
VLAI?
Title
TCP: remotely exploitable DoS vector (mbuf leak)
Summary
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.
If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.
Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Severity ?
7.5 (High)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Michael Tuexen (Netflix)
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-4247",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:40:37.721602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:41:24.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"tcp"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p5",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p1",
"status": "affected",
"version": "14.4-RELEASE",
"versionType": "release"
},
{
"lessThan": "p10",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Tuexen (Netflix)"
}
],
"datePublic": "2026-03-26T05:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401: Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T06:35:09.969Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc"
}
],
"title": "TCP: remotely exploitable DoS vector (mbuf leak)",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-4247",
"datePublished": "2026-03-26T06:09:08.446Z",
"dateReserved": "2026-03-16T03:51:53.368Z",
"dateUpdated": "2026-03-26T14:41:24.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3038 (GCVE-0-2026-3038)
Vulnerability from cvelistv5 – Published: 2026-03-09 12:25 – Updated: 2026-03-09 16:03
VLAI?
Title
Local DoS and possible privilege escalation via routing sockets
Summary
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.
In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.
The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.
Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.
Severity ?
7.5 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Credits
Adam Crosser of the Praetorian Labs team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T16:03:08.637542Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T16:03:25.820Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"route"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p4",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
},
{
"lessThan": "p9",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p10",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
},
{
"status": "affected",
"version": "14.4-RC1",
"versionType": "beta"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adam Crosser of the Praetorian Labs team"
}
],
"datePublic": "2026-02-24T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it\u0027s possible for a malicious userspace program to craft a request which triggers a 127-byte overflow.\n\n In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns.\n\nThe bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic.\n\nOther kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T12:25:39.671Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:05.route.asc"
}
],
"title": "Local DoS and possible privilege escalation via routing sockets",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-3038",
"datePublished": "2026-03-09T12:25:39.671Z",
"dateReserved": "2026-02-23T16:26:02.807Z",
"dateUpdated": "2026-03-09T16:03:25.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2261 (GCVE-0-2026-2261)
Vulnerability from cvelistv5 – Published: 2026-03-09 12:10 – Updated: 2026-03-11 15:02
VLAI?
Title
blocklistd(8) socket leak
Summary
Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.
Once a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.
An attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted.
Severity ?
7.5 (High)
CWE
- CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-2261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:02:47.286466Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:02:53.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"blocklistd"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p3",
"status": "affected",
"version": "15.0-RELEASE",
"versionType": "release"
}
]
}
],
"datePublic": "2026-02-10T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives.\n\nOnce a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null pointer and crashes before it is able to exec the helper. At this point, blocklistd still records adverse events but is unable to block new addresses or unblock addresses whose database entries have expired.\n\nOnce a second, much higher number of leaked sockets is reached, blocklistd becomes unable to receive new adverse event reports.\n\nAn attacker may take advantage of this by triggering a large number of adverse events from sacrificial IP addresses to effectively disable blocklistd before launching an attack.\n\nEven in the absence of attacks or probes by would-be attackers, adverse events will occur regularly in the course of normal operations, and blocklistd will gradually run out file descriptors and become ineffective.\n\nThe accumulation of open sockets may have knock-on effects on other parts of the system, resulting in a general slowdown until blocklistd is restarted."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-772",
"description": "CWE-772: Missing Release of Resource after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T12:10:08.194Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:03.blocklistd.asc"
}
],
"title": "blocklistd(8) socket leak",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2026-2261",
"datePublished": "2026-03-09T12:10:08.194Z",
"dateReserved": "2026-02-09T17:48:49.244Z",
"dateUpdated": "2026-03-11T15:02:53.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}