Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
AnalysisAI
Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.
Technical ContextAI
The vulnerability exists in the FreeBSD kernel's memory protection key (PKU/PKRU) management subsystem. When updating protection keys across an address range, the pmap_pkru_update_range() function must navigate page table hierarchies to identify which entries require updates. The bug occurs because the function fails to recognize 1GB largepage mappings, which are created via the shm_create_largepage(3) interface and represent a non-standard page directory entry structure. Instead of detecting these largepage entries, the code incorrectly interprets them as pointing to conventional page table pages, leading to out-of-bounds memory access. The underlying issue is improper privilege boundary checking (CWE-269) when manipulating page table structures without validating entry types. The vulnerability is architecture-specific to amd64 (x86-64) systems where largepage mappings and PKRU support are implemented.
RemediationAI
Apply the vendor-released patches immediately: FreeBSD 13.5-RELEASE-p12 or later, 14.3-RELEASE-p11 or later, 14.4-RELEASE-p2 or later, or 15.0-RELEASE-p6 or later. Administrators using 'freebsd-update' should run 'freebsd-update fetch install' followed by a system reboot. No workarounds are available; patching is mandatory for affected systems. Interim mitigation is to disable shm_create_largepage(3) functionality if workload-dependent, but this does not eliminate the underlying kernel vulnerability and is not recommended as a permanent solution. See https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc for detailed patch instructions and verification procedures.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24592
GHSA-99g5-mwj2-6xjq