Skip to main content

FreeBSD EUVDEUVD-2026-39960

| CVE-2026-49416 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-27 freebsd GHSA-f3p8-j3ww-gvq7
7.8
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local access to a vt(4) device by an unprivileged user (AV:L/PR:L), straightforward overflow trigger (AC:L), and kernel memory corruption enabling root escalation gives full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 20:23 vuln.today
CVSS changed
Jun 29, 2026 - 20:22 NVD
7.8 (HIGH)
CVE Published
Jun 27, 2026 - 09:25 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation.

An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.

AnalysisAI

Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain unprivileged local shell on FreeBSD host
Delivery
Open vt(4) terminal device
Exploit
Issue CONS_HISTORY ioctl with oversized size
Execution
Integer overflow undersizes heap buffer
Persist
Out-of-bounds write corrupts kernel heap
Impact
Escalate privileges to root

Vulnerability AssessmentAI

Exploitation Exploitation requires an unprivileged but authenticated local user (CVSS PR:L) who has open access to a vt(4) virtual terminal device and can issue the CONS_HISTORY console ioctl with an attacker-chosen oversized history size - that oversized size is the concrete trigger. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a credible but locally-scoped threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with an unprivileged shell account on a shared FreeBSD server (for example a hosting or jail-host environment) opens a vt(4) device and issues a CONS_HISTORY ioctl with a deliberately oversized history value, triggering the integer overflow and a controlled heap out-of-bounds write. By grooming kernel heap objects around the undersized allocation, the attacker overwrites adjacent kernel data to corrupt credentials or hijack control flow and escalate to root. …
Remediation Apply the FreeBSD-released patches: update to FreeBSD 14.3-RELEASE-p15, 14.4-RELEASE-p6, or 15.0-RELEASE-p10 (or later) per advisory FreeBSD-SA-26:34.vt at https://security.freebsd.org/advisories/FreeBSD-SA-26:34.vt.asc, typically via freebsd-update fetch && freebsd-update install followed by a reboot, or by rebuilding the kernel from corrected sources. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all FreeBSD systems in production and assess which have untrusted local users with vt(4) console device access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2026-4747 HIGH POC
8.8 Mar 26

Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se

CVE-2026-39461 HIGH
8.8 May 21

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec

CVE-2025-15547 HIGH
8.8 Mar 09

By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl

CVE-2026-45253 HIGH
8.4 May 21

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce

CVE-2026-5398 HIGH
8.4 Apr 22

Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit

CVE-2026-42512 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC

CVE-2026-35547 HIGH
8.1 Apr 30

Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation

CVE-2026-42511 HIGH
8.1 Apr 30

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit

CVE-2026-45258 HIGH
7.8 Jun 27

Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the

CVE-2026-49414 HIGH
7.8 Jun 27

Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout

Share

EUVD-2026-39960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy