Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local-only exploit requiring a standard shell account (PR:L, AV:L); default config, no race (AC:L); scope changed as user privilege boundary is crossed to achieve root and persistent filesystem modification (S:C, C/I/A:H).
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description PRE-NVD
AnalysisAI
Page-cache corruption in FreeBSD's kTLS-RX subsystem (CVE-2026-45257 / FreeBSD-SA-26:26.kTLS) enables an unprivileged local user to overwrite arbitrary bytes in the backing physical page of any world-readable file, including SUID-root binaries, by exploiting in-place AES-GCM decryption running directly over sendfile(2)-produced EXTPG mbufs via the kernel direct map (DMAP). The write bypasses the VFS layer entirely, defeating file permissions, mount options, and chflags schg immutable flags - making this the FreeBSD functional equivalent of Linux CVE-2022-0847 (Dirty Pipe). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a standard unprivileged local user account with shell access - no special group membership, capability, sudo permission, or network-facing service interaction is needed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score, vector, or EPSS probability is provided in the available data - all CVSS metrics in this report are independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a standard unprivileged shell account creates a loopback TCP socket pair and issues a TCP_RXTLS_ENABLE setsockopt on the receiving socket, supplying a self-chosen AES-128-GCM key, salt, and IV - no privilege check is performed on this call. The attacker then uses sendfile(2) to send a target SUID-root binary (e.g., /usr/bin/su) into the sending socket; because lo0 lacks IFCAP_MEXTPG, Guard 2 remaps the EXTPG mbuf via sf_buf to the same underlying physical page rather than copying it. … |
| Remediation | Apply the vendor patch documented in FreeBSD-SA-26:26.kTLS; the exact patched release version is not confirmed in the available data beyond the advisory identifier, so administrators should monitor https://www.freebsd.org/security/advisories/ and freebsd-security-notifications@ for the patched release announcement. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO
Same weakness CWE-123 – Write-what-where Condition
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39780