Skip to main content

FreeBSD CVE-2026-5398

| EUVDEUVD-2026-24589 HIGH
Use After Free (CWE-416)
2026-04-22 freebsd
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 15:23 vuln.today
CVSS changed
Apr 22, 2026 - 15:22 NVD
8.4 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 03:00 euvd
EUVD-2026-24589
Analysis Generated
Apr 22, 2026 - 03:00 vuln.today
CVE Published
Apr 22, 2026 - 02:23 nvd
HIGH 8.4

DescriptionCVE.org

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

A malicious process can abuse the dangling pointer to grant itself root privileges.

AnalysisAI

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local shell access
Delivery
Invoke TIOCNOTTY ioctl on terminal
Exploit
Exit process leaving dangling pointer
Execution
Manipulate kernel heap via syscalls
Persist
Trigger terminal operation dereferencing stale pointer
Impact
Execute code as root

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to a FreeBSD system running vulnerable kernel versions (13.5-RELEASE before p12, 14.3-RELEASE before p11, 15.0-RELEASE before p6, or 14.4-RELEASE before p2). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the high CVSS base score of 8.4 reflecting severe potential impact (C:H/I:H/A:H), real-world exploitation risk appears moderate based on multi-source signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with local shell access (via SSH, compromised web application, or physical access) executes a malicious program that invokes the TIOCNOTTY ioctl to detach from its controlling terminal, creating the dangling pointer condition. The program then carefully exits in a manner that leaves the freed session structure allocated at a predictable kernel heap location. …
Remediation Apply vendor-released patches immediately via freebsd-update utility or rebuild kernel from patched sources. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all FreeBSD systems running versions 13.5 through 15.0 and document their network criticality and local user access policies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-4747 HIGH POC
8.8 Mar 26

Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se

CVE-2026-39461 HIGH
8.8 May 21

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec

CVE-2025-15547 HIGH
8.8 Mar 09

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl

CVE-2026-45253 HIGH
8.4 May 21

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce

CVE-2026-42512 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC

CVE-2026-35547 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation

CVE-2026-42511 HIGH
8.1 Apr 30

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit

CVE-2026-45258 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the

CVE-2026-49416 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO

CVE-2026-49414 HIGH
7.8 Jun 27

Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout

Share

CVE-2026-5398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy