Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local access to a vt(4) device by an unprivileged user (AV:L/PR:L), straightforward overflow trigger (AC:L), and kernel memory corruption enabling root escalation gives full C/I/A impact.
Primary rating from Vendor (freebsd).
CVSS VectorVendor: freebsd
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.
An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.
AnalysisAI
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an unprivileged but authenticated local user (CVSS PR:L) who has open access to a vt(4) virtual terminal device and can issue the CONS_HISTORY console ioctl with an attacker-chosen oversized history size - that oversized size is the concrete trigger. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a credible but locally-scoped threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with an unprivileged shell account on a shared FreeBSD server (for example a hosting or jail-host environment) opens a vt(4) device and issues a CONS_HISTORY ioctl with a deliberately oversized history value, triggering the integer overflow and a controlled heap out-of-bounds write. By grooming kernel heap objects around the undersized allocation, the attacker overwrites adjacent kernel data to corrupt credentials or hijack control flow and escalate to root. … |
| Remediation | Apply the FreeBSD-released patches: update to FreeBSD 14.3-RELEASE-p15, 14.4-RELEASE-p6, or 15.0-RELEASE-p10 (or later) per advisory FreeBSD-SA-26:34.vt at https://security.freebsd.org/advisories/FreeBSD-SA-26:34.vt.asc, typically via freebsd-update fetch && freebsd-update install followed by a reboot, or by rebuilding the kernel from corrected sources. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all FreeBSD systems in production and assess which have untrusted local users with vt(4) console device access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39960
GHSA-f3p8-j3ww-gvq7