Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Jail boundary bypass constitutes a scope change (S:C); exploitation requires only a local low-privileged account; impact is availability-only from signal delivery.
Primary rating from Vendor (freebsd).
CVSS VectorVendor: freebsd
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.
The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.
An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
AnalysisAI
Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a local unprivileged account on the affected FreeBSD system (AV:L, PR:L) - remote exploitation is not possible without a pre-existing local foothold. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the local, low-privilege exploitation vector and availability-only impact, but assigns Unchanged scope despite the advisory explicitly describing jail boundary bypass - this is a meaningful understatement of risk for jail-based multi-tenant FreeBSD deployments where cross-jail and host signaling represent a scope violation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged local user or a process running inside a FreeBSD jail iterates through globally sequential thread IDs - requiring no prior knowledge of the target - and repeatedly calls thr_kill2() with candidate PID/TID pairs targeting a root-owned system daemon such as syslogd, cron, or ntpd. The kernel delivers SIGKILL to each matched thread regardless of the p_cansignal() result, terminating the daemon. … |
| Remediation | Apply the vendor-released patches documented in FreeBSD Security Advisory FreeBSD-SA-26:25.thr.asc (https://security.freebsd.org/advisories/FreeBSD-SA-26:25.thr.asc): upgrade FreeBSD 15.0-RELEASE to p10 or later, FreeBSD 14.3-RELEASE to p15 or later, and FreeBSD 14.4-RELEASE to p6 or later using freebsd-update or from source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39776
GHSA-hvc9-hvw8-q2fx