Skip to main content

FreeBSD CVE-2026-7270

| EUVDEUVD-2026-26353 HIGH
Operator Precedence Logic Error (CWE-783)
2026-04-30 freebsd
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Apr 30, 2026 - 15:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 30, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 15:22 NVD
7.3 (HIGH) 7.8 (HIGH)
Analysis Generated
Apr 30, 2026 - 14:23 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.3 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 07:15 euvd
EUVD-2026-26353
Analysis Generated
Apr 30, 2026 - 07:15 vuln.today
CVE Published
Apr 30, 2026 - 07:02 nvd
HIGH 7.8

DescriptionCVE.org

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers.

The bug may be exploitable by an unprivileged user to obtain superuser privileges.

AnalysisAI

Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.

Technical ContextAI

The vulnerability exists in the FreeBSD kernel's execve(2) system call implementation, specifically in how it handles argument buffer allocation and copying. An operator precedence error in the kernel code creates a condition where buffer boundaries are incorrectly calculated, allowing an overflow to propagate into adjacent memory regions containing execve arguments. This is classified as CWE-783 (Operator Precedence Logic Error), a subtle programming mistake where incorrect operator evaluation order leads to unintended computation results. The execve(2) system call is fundamental to process execution in Unix-like systems, making it a high-value target. The bug affects the kernel's memory management logic during process creation, where argument vectors are prepared in kernel space before transitioning to the new process context. The CPE identifier (cpe:2.3:a:freebsd:freebsd) confirms this impacts the FreeBSD operating system kernel itself across multiple major release branches (13.x, 14.x, and 15.x).

RemediationAI

Apply vendor-released patches immediately via freebsd-update utility or rebuild kernel from patched sources. For FreeBSD 14.3-RELEASE, upgrade to patch level p12 or higher; for FreeBSD 13.5-RELEASE, upgrade to p13 or higher; for FreeBSD 14.4-RELEASE, upgrade to p3 or higher; for FreeBSD 15.0-RELEASE, upgrade to p7 or higher. Execute 'freebsd-update fetch' followed by 'freebsd-update install' and reboot to activate patched kernel. Systems unable to patch immediately should implement compensating controls: restrict local user access through stricter authentication policies, disable unnecessary user accounts, enable and monitor kernel security event auditing (auditd) to detect unusual execve patterns, and consider deploying mandatory access control frameworks (MAC) like TrustedBSD to limit privilege escalation paths. Note that MAC policies may impact application compatibility and require testing. Source code patches available through FreeBSD source repository for custom kernel builds. Complete remediation guidance at https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc including verification procedures.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-7270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy