Skip to main content

FreeBSD CVE-2026-49414

| EUVDEUVD-2026-39966 HIGH
Incorrect Behavior Order: Early Validation (CWE-179)
2026-06-27 freebsd
7.8
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
3.3 LOW

Local unprivileged trigger (AV:L/AC:L/PR:L) with no direct code execution; the flaw only weakens an integrity mitigation (I:L), so no C/A impact standalone, unlike the vendor's chained 7.8.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 14:27 vuln.today
CVSS changed
Jun 29, 2026 - 14:22 NVD
7.8 (HIGH)
CVE Published
Jun 27, 2026 - 09:22 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.

An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.

AnalysisAI

Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged account
Delivery
Call procctl(2) to disable ASLR
Exploit
execve(2) setuid PIE binary
Execution
PIE loaded at predictable base
Persist
Exploit separate memory-corruption bug
Impact
Escalate to root

Vulnerability AssessmentAI

Exploitation Requires local, unprivileged shell access to an affected FreeBSD host and the ability to invoke procctl(2) before execve(2) - the concrete prerequisite is calling PROC_ASLR_CTL to request ASLR disable, then executing a target that is BOTH setuid AND built as a position-independent executable (PIE). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a real-but-secondary risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unprivileged user with shell access on a multi-user FreeBSD server who has discovered (or is chaining) a memory-corruption bug in a local setuid root binary calls procctl(2) to disable ASLR, then execve(2)s the setuid binary, which now loads at a predictable base address. With randomization removed, the attacker reliably crafts ROP/return-to-libc payloads against the second vulnerability to escalate to root. …
Remediation Apply the FreeBSD security patches to a fixed level: update to FreeBSD 14.3-RELEASE-p15, 14.4-RELEASE-p6, or 15.0-RELEASE-p10 (or later) as documented in advisory FreeBSD-SA-26:32.elf (https://security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc), typically via freebsd-update fetch install followed by a reboot. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FreeBSD systems and identify those with untrusted local users or multi-user shell access; disable non-essential local accounts if possible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-4747 HIGH POC
8.8 Mar 26

Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se

CVE-2026-39461 HIGH
8.8 May 21

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec

CVE-2025-15547 HIGH
8.8 Mar 09

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl

CVE-2026-45253 HIGH
8.4 May 21

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce

CVE-2026-5398 HIGH
8.4 Apr 22

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit

CVE-2026-42512 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC

CVE-2026-35547 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation

CVE-2026-42511 HIGH
8.1 Apr 30

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit

CVE-2026-45258 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the

CVE-2026-49416 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO

Share

CVE-2026-49414 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy