Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Local-only attack requiring existing sandbox presence (AV:L, PR:L); scope changes because impact extends to external processes (S:C); only availability impacted via SIGKILL/SIGSTOP (A:H, C:N, I:N).
Primary rating from Vendor (freebsd).
CVSS VectorVendor: freebsd
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.
A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.
AnalysisAI
Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the attacker already control code executing inside a Capsicum capability-mode sandbox - specifically, a process that has called cap_enter(2) or been placed into capability mode by a parent process. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 6.5 with S:C reflects a genuine sandbox escape with high availability impact, but several signals substantially dampen the urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has achieved code execution within a Capsicum-sandboxed application - for example, through a memory corruption bug in a sandboxed media parser or network service - invokes sigqueue(2) targeting the PID of a critical daemon (such as a logging service or authentication process) running under the same UID, sending SIGKILL to terminate it and cause a denial-of-service condition. No public exploit code has been identified at time of analysis, and the attack is non-automatable per SSVC, meaning exploitation requires deliberate, targeted effort following an initial compromise. |
| Remediation | Apply the vendor-released patches by upgrading to FreeBSD 15.0-RELEASE-p10, FreeBSD 14.4-RELEASE-p6, or FreeBSD 14.3-RELEASE-p15 as specified in FreeBSD-SA-26:28.capsicum.asc (https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39963