Skip to main content

FreeBSD Capsicum EUVDEUVD-2026-39963

| CVE-2026-45259 MEDIUM
Incorrect Privilege Assignment (CWE-266)
2026-06-27 freebsd
6.5
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Local-only attack requiring existing sandbox presence (AV:L, PR:L); scope changes because impact extends to external processes (S:C); only availability impacted via SIGKILL/SIGSTOP (A:H, C:N, I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 14:32 vuln.today
CVSS changed
Jun 29, 2026 - 14:22 NVD
6.5 (None) 6.5 (MEDIUM)
CVE Published
Jun 27, 2026 - 08:59 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.

A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.

AnalysisAI

Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise Capsicum-sandboxed application
Delivery
Invoke sigqueue(2) with target PID
Exploit
Bypass missing capability mode check in kern_sigqueue
Execution
Deliver SIGKILL or SIGSTOP to victim process
Impact
Cause denial of service on target

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker already control code executing inside a Capsicum capability-mode sandbox - specifically, a process that has called cap_enter(2) or been placed into capability mode by a parent process. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 with S:C reflects a genuine sandbox escape with high availability impact, but several signals substantially dampen the urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has achieved code execution within a Capsicum-sandboxed application - for example, through a memory corruption bug in a sandboxed media parser or network service - invokes sigqueue(2) targeting the PID of a critical daemon (such as a logging service or authentication process) running under the same UID, sending SIGKILL to terminate it and cause a denial-of-service condition. No public exploit code has been identified at time of analysis, and the attack is non-automatable per SSVC, meaning exploitation requires deliberate, targeted effort following an initial compromise.
Remediation Apply the vendor-released patches by upgrading to FreeBSD 15.0-RELEASE-p10, FreeBSD 14.4-RELEASE-p6, or FreeBSD 14.3-RELEASE-p15 as specified in FreeBSD-SA-26:28.capsicum.asc (https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

EUVD-2026-39963 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy