Skip to main content

FreeBSD Kernel EUVDEUVD-2026-39780

| CVE-2026-45257 HIGH
Write-what-where Condition (CWE-123)
2026-06-10
7.8
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Local-only exploit requiring a standard shell account (PR:L, AV:L); default config, no race (AC:L); scope changed as user privilege boundary is crossed to achieve root and persistent filesystem modification (S:C, C/I/A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVSS changed
Jun 26, 2026 - 16:22 NVD
7.8 (HIGH)
Analysis Generated
Jun 10, 2026 - 22:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Page-cache corruption in FreeBSD's kTLS-RX subsystem (CVE-2026-45257 / FreeBSD-SA-26:26.kTLS) enables an unprivileged local user to overwrite arbitrary bytes in the backing physical page of any world-readable file, including SUID-root binaries, by exploiting in-place AES-GCM decryption running directly over sendfile(2)-produced EXTPG mbufs via the kernel direct map (DMAP). The write bypasses the VFS layer entirely, defeating file permissions, mount options, and chflags schg immutable flags - making this the FreeBSD functional equivalent of Linux CVE-2022-0847 (Dirty Pipe). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain local unprivileged shell
Delivery
Enable kTLS RX on loopback socket with attacker-chosen AES-GCM key/IV
Exploit
sendfile(2) SUID binary into loopback TCP socket
Install
Kernel DMAP remap preserves page-cache physical address
C2
In-place AES-GCM decrypt writes shellcode bytes into page cache
Execute
Execute modified SUID binary
Impact
Root shell obtained

Vulnerability AssessmentAI

Exploitation Exploitation requires a standard unprivileged local user account with shell access - no special group membership, capability, sudo permission, or network-facing service interaction is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score, vector, or EPSS probability is provided in the available data - all CVSS metrics in this report are independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard unprivileged shell account creates a loopback TCP socket pair and issues a TCP_RXTLS_ENABLE setsockopt on the receiving socket, supplying a self-chosen AES-128-GCM key, salt, and IV - no privilege check is performed on this call. The attacker then uses sendfile(2) to send a target SUID-root binary (e.g., /usr/bin/su) into the sending socket; because lo0 lacks IFCAP_MEXTPG, Guard 2 remaps the EXTPG mbuf via sf_buf to the same underlying physical page rather than copying it. …
Remediation Apply the vendor patch documented in FreeBSD-SA-26:26.kTLS; the exact patched release version is not confirmed in the available data beyond the advisory identifier, so administrators should monitor https://www.freebsd.org/security/advisories/ and freebsd-security-notifications@ for the patched release announcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-4747 HIGH POC
8.8 Mar 26

Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se

CVE-2026-39461 HIGH
8.8 May 21

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec

CVE-2025-15547 HIGH
8.8 Mar 09

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl

CVE-2026-45253 HIGH
8.4 May 21

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce

CVE-2026-5398 HIGH
8.4 Apr 22

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit

CVE-2026-42512 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC

CVE-2026-35547 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation

CVE-2026-42511 HIGH
8.1 Apr 30

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit

CVE-2026-45258 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the

CVE-2026-49416 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO

Share

EUVD-2026-39780 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy