Skip to main content

FreeBSD EUVDEUVD-2026-39776

| CVE-2026-45256 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-26 secteam@freebsd.org GHSA-hvc9-hvw8-q2fx
5.5
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Jail boundary bypass constitutes a scope change (S:C); exploitation requires only a local low-privileged account; impact is availability-only from signal delivery.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 26, 2026 - 17:36 vuln.today
CVSS changed
Jun 26, 2026 - 16:22 NVD
5.5 (MEDIUM)
CVE Published
Jun 26, 2026 - 15:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.

The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.

An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).

AnalysisAI

Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain unprivileged local shell access
Delivery
Brute-force globally sequential thread IDs
Exploit
Call thr_kill2() with enumerated PID and TID
Install
p_cansignal() result ignored, signal unconditionally delivered
C2
SIGKILL sent to privileged or root-owned process
Execute
Critical system daemon terminated
Impact
Denial of Service or jail-escape to host achieved

Vulnerability AssessmentAI

Exploitation Requires a local unprivileged account on the affected FreeBSD system (AV:L, PR:L) - remote exploitation is not possible without a pre-existing local foothold. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local, low-privilege exploitation vector and availability-only impact, but assigns Unchanged scope despite the advisory explicitly describing jail boundary bypass - this is a meaningful understatement of risk for jail-based multi-tenant FreeBSD deployments where cross-jail and host signaling represent a scope violation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user or a process running inside a FreeBSD jail iterates through globally sequential thread IDs - requiring no prior knowledge of the target - and repeatedly calls thr_kill2() with candidate PID/TID pairs targeting a root-owned system daemon such as syslogd, cron, or ntpd. The kernel delivers SIGKILL to each matched thread regardless of the p_cansignal() result, terminating the daemon. …
Remediation Apply the vendor-released patches documented in FreeBSD Security Advisory FreeBSD-SA-26:25.thr.asc (https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc): upgrade FreeBSD 15.0-RELEASE to p10 or later, FreeBSD 14.3-RELEASE to p15 or later, and FreeBSD 14.4-RELEASE to p6 or later using freebsd-update or from source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

EUVD-2026-39776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy