Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.
The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.
AnalysisAI
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
Technical ContextAI
The vulnerability lives in the FreeBSD kernel's ptrace(2) facility, specifically the PT_SC_REMOTE operation that allows a debugger to invoke a system call on behalf of a traced process. When the requested syscall is the meta-syscall syscall(2) or __syscall(2) - which take a syscall number as their first argument and dispatch indirectly - the kernel failed to re-validate the chosen syscall number and arguments through the standard syscall entry path. Combined with CWE-787 (out-of-bounds write), this allows a debugger to coerce the kernel into dispatching crafted syscall handlers with attacker-controlled arguments, producing memory corruption inside kernel address space. The affected component is the base FreeBSD operating system per CPE cpe:2.3:a:freebsd:freebsd:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: FreeBSD 14.3-RELEASE-p14, 14.4-RELEASE-p5, or 15.0-RELEASE-p9 (or later) per FreeBSD-SA-26:21.ptrace at https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc; apply via freebsd-update fetch install and reboot to load the patched kernel. If patching must be deferred, restrict who can ptrace processes by raising security.bsd.unprivileged_proc_debug to 0 via sysctl (this prevents non-root users from attaching to their own processes and will break debuggers like lldb/gdb and software that uses ptrace for crash reporting), and constrain access to multi-user shells, untrusted local accounts, and jails where escape into the host kernel would be catastrophic. Avoid running untrusted code on shared hosts until patched; jail or VM isolation does not mitigate this if the attacker is inside the same kernel.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31257
GHSA-96wx-9xhw-cf8x