Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.
A malicious process can abuse the dangling pointer to grant itself root privileges.
AnalysisAI
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a FreeBSD system running vulnerable kernel versions (13.5-RELEASE before p12, 14.3-RELEASE before p11, 15.0-RELEASE before p6, or 14.4-RELEASE before p2). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Despite the high CVSS base score of 8.4 reflecting severe potential impact (C:H/I:H/A:H), real-world exploitation risk appears moderate based on multi-source signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local shell access (via SSH, compromised web application, or physical access) executes a malicious program that invokes the TIOCNOTTY ioctl to detach from its controlling terminal, creating the dangling pointer condition. The program then carefully exits in a manner that leaves the freed session structure allocated at a predictable kernel heap location. … |
| Remediation | Apply vendor-released patches immediately via freebsd-update utility or rebuild kernel from patched sources. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all FreeBSD systems running versions 13.5 through 15.0 and document their network criticality and local user access policies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24589