Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Local unprivileged trigger (AV:L/AC:L/PR:L) with no direct code execution; the flaw only weakens an integrity mitigation (I:L), so no C/A impact standalone, unlike the vendor's chained 7.8.
Primary rating from Vendor (freebsd).
CVSS VectorVendor: freebsd
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.
An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
AnalysisAI
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires local, unprivileged shell access to an affected FreeBSD host and the ability to invoke procctl(2) before execve(2) - the concrete prerequisite is calling PROC_ASLR_CTL to request ASLR disable, then executing a target that is BOTH setuid AND built as a position-independent executable (PIE). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a real-but-secondary risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unprivileged user with shell access on a multi-user FreeBSD server who has discovered (or is chaining) a memory-corruption bug in a local setuid root binary calls procctl(2) to disable ASLR, then execve(2)s the setuid binary, which now loads at a predictable base address. With randomization removed, the attacker reliably crafts ROP/return-to-libc payloads against the second vulnerability to escalate to root. … |
| Remediation | Apply the FreeBSD security patches to a fixed level: update to FreeBSD 14.3-RELEASE-p15, 14.4-RELEASE-p6, or 15.0-RELEASE-p10 (or later) as documented in advisory FreeBSD-SA-26:32.elf (https://security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc), typically via freebsd-update fetch install followed by a reboot. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all FreeBSD systems and identify those with untrusted local users or multi-user shell access; disable non-essential local accounts if possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_se
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to spec
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enabl
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug acce
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploit
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHC
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanit
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTO
Same weakness CWE-179 – Incorrect Behavior Order: Early Validation
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39966