Skip to main content

FreeBSD Kernel CVE-2026-6386

| EUVDEUVD-2026-24592 MEDIUM
Improper Privilege Management (CWE-269)
2026-04-22 freebsd GHSA-99g5-mwj2-6xjq
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 22, 2026 - 15:22 vuln.today
CVSS changed
Apr 22, 2026 - 15:22 NVD
6.2 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 03:00 euvd
EUVD-2026-24592
Analysis Generated
Apr 22, 2026 - 03:00 vuln.today
CVE Published
Apr 22, 2026 - 02:33 nvd
MEDIUM 6.2

DescriptionCVE.org

In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.

The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.

AnalysisAI

Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.

Technical ContextAI

The vulnerability exists in the FreeBSD kernel's memory protection key (PKU/PKRU) management subsystem. When updating protection keys across an address range, the pmap_pkru_update_range() function must navigate page table hierarchies to identify which entries require updates. The bug occurs because the function fails to recognize 1GB largepage mappings, which are created via the shm_create_largepage(3) interface and represent a non-standard page directory entry structure. Instead of detecting these largepage entries, the code incorrectly interprets them as pointing to conventional page table pages, leading to out-of-bounds memory access. The underlying issue is improper privilege boundary checking (CWE-269) when manipulating page table structures without validating entry types. The vulnerability is architecture-specific to amd64 (x86-64) systems where largepage mappings and PKRU support are implemented.

RemediationAI

Apply the vendor-released patches immediately: FreeBSD 13.5-RELEASE-p12 or later, 14.3-RELEASE-p11 or later, 14.4-RELEASE-p2 or later, or 15.0-RELEASE-p6 or later. Administrators using 'freebsd-update' should run 'freebsd-update fetch install' followed by a system reboot. No workarounds are available; patching is mandatory for affected systems. Interim mitigation is to disable shm_create_largepage(3) functionality if workload-dependent, but this does not eliminate the underlying kernel vulnerability and is not recommended as a permanent solution. See https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc for detailed patch instructions and verification procedures.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-6386 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy