Freebsd
Monthly
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. This is a mitigation-weakening flaw that materially eases exploitation of any separate memory-corruption bug in those privileged binaries; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile).
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.
Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.
Page-cache corruption in FreeBSD's kTLS-RX subsystem (CVE-2026-45257 / FreeBSD-SA-26:26.kTLS) enables an unprivileged local user to overwrite arbitrary bytes in the backing physical page of any world-readable file, including SUID-root binaries, by exploiting in-place AES-GCM decryption running directly over sendfile(2)-produced EXTPG mbufs via the kernel direct map (DMAP). The write bypasses the VFS layer entirely, defeating file permissions, mount options, and chflags schg immutable flags - making this the FreeBSD functional equivalent of Linux CVE-2022-0847 (Dirty Pipe). A public exploit (bumsrakete.c) is included in the oss-security disclosure and achieves reliable root LPE in approximately 1.5 seconds on default FreeBSD 13.0 through 15.0 on amd64, arm64, and riscv; no public KEV listing has been identified at time of analysis.
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.
Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.
Packet filter (pf) rule hash calculation regression in FreeBSD causes rules with address range syntax (x.x.x.x - y.y.y.y) differing only in address ranges to be silently dropped as duplicates, loading only the first rule and potentially causing unexpected packet filtering behavior including unintended blocking or allowing of traffic. The regression affects pf's duplicate detection mechanism but does not impact rules using CIDR notation (address/mask-bits syntax). Only the first of multiple such rules is loaded, creating a silent configuration failure with no warning to administrators.
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_sec) allows low-privileged authenticated attackers to execute arbitrary code via crafted network packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches. Publicly available exploit code exists (GitHub/Gist), though EPSS probability remains low (0.05%, 16th percentile) and CISA has not listed this in KEV, suggesting limited observed exploitation despite high CVSS 8.8 score and total technical impact per SSVC framework.
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
This vulnerability is a memory leak in FreeBSD's TCP stack where the tcp_respond() function fails to properly free allocated memory buffers (mbufs) when challenge ACKs are not sent in response to crafted packets. FreeBSD systems of all versions are affected. An attacker with network access (either on-path with an established connection or able to establish one, or via spoofed packets) can trigger this leak repeatedly by sending specially crafted packets that exceed rate limits, causing heap exhaustion and potential denial of service through resource depletion.
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. [CVSS 7.5 HIGH]
FreeBSD's blocklistd service leaks socket descriptors on each adverse event report, causing progressive service degradation until it can no longer block malicious IP addresses or process new reports. An attacker can exploit this by generating numerous fraudulent adverse events from disposable IP addresses to exhaust socket resources and disable the blocking mechanism before launching an actual attack. The vulnerability has a high severity rating (CVSS 7.5) and currently lacks a patch.
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. [CVSS 7.5 HIGH]
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. [CVSS 7.5 HIGH]
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH]
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
sys/netinet/tcp_timer.h in FreeBSD before 7.0 contains a denial-of-service (DoS) vulnerability due to improper handling of TSopt on TCP connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r369551, 11.4-STABLE before r369559, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, copy-on-write logic failed to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
In MidnightBSD before 1.2.6 and 1.3 before August 2020, and FreeBSD before 7, a NULL pointer dereference was found in the Linux emulation layer that allows attackers to crash the running kernel. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on. Rated high severity (CVSS 7.0). No vendor patch available.
In FreeBSD 12.1-STABLE before r362166, 12.1-RELEASE before p8, 11.4-STABLE before r362167, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, missing length validation code common to mulitple USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-STABLE before r361919, 11.3-RELEASE before p10, and 11.4-RC2 before p1, an invalid memory location may be used for HID items if the. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
In FreeBSD 12.1-STABLE before r360973, 12.1-RELEASE before p5, 11.4-STABLE before r360973, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, the FTP packet handler in libalias incorrectly calculates. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-STABLE before r360971, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, libalias does not properly validate packet length resulting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r359020, and 11.3-RELEASE before 11.3-RELEASE-p7, a missing null termination check in the jail_set. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity.
In FreeBSD 12.1-STABLE before r357490, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r357489, and 11.3-RELEASE before 11.3-RELEASE-p7, incorrect use of a user-controlled pointer in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
In FreeBSD 12.1-STABLE before r358739, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r358740, and 11.3-RELEASE before 11.3-RELEASE-p7, a TCP SYN-ACK or challenge TCP-ACK segment over IPv6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. This is a mitigation-weakening flaw that materially eases exploitation of any separate memory-corruption bug in those privileged binaries; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile).
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.
Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
Signal delivery bypass in FreeBSD's thr_kill2(2) system call allows an unprivileged local user - or a jailed process - to send arbitrary signals to any process on the system, including root-owned processes and critical daemons, causing Denial of Service. The flaw stems from a missing check on the return value of p_cansignal(), the kernel's permission enforcement primitive: the signal is unconditionally delivered before the error is propagated to the caller. No public exploit has been identified at time of analysis and SSVC assesses exploitation as none, though globally sequential thread IDs reduce the skill requirement to simple brute force, and the jail boundary bypass adds a container-escape dimension absent from the base CVSS score.
Page-cache corruption in FreeBSD's kTLS-RX subsystem (CVE-2026-45257 / FreeBSD-SA-26:26.kTLS) enables an unprivileged local user to overwrite arbitrary bytes in the backing physical page of any world-readable file, including SUID-root binaries, by exploiting in-place AES-GCM decryption running directly over sendfile(2)-produced EXTPG mbufs via the kernel direct map (DMAP). The write bypasses the VFS layer entirely, defeating file permissions, mount options, and chflags schg immutable flags - making this the FreeBSD functional equivalent of Linux CVE-2022-0847 (Dirty Pipe). A public exploit (bumsrakete.c) is included in the oss-security disclosure and achieves reliable root LPE in approximately 1.5 seconds on default FreeBSD 13.0 through 15.0 on amd64, arm64, and riscv; no public KEV listing has been identified at time of analysis.
In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process.
When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network.
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.
Unprivileged local users on FreeBSD can read sensitive kernel memory via a page table manipulation bug in pmap_pkru_update_range(). When applying protection keys to 1GB largepage mappings created through shm_create_largepage(3), the kernel incorrectly treats userspace memory as page table entries, enabling unauthorized information disclosure. This affects FreeBSD 13.5, 14.3, 14.4, and 15.0 releases and has been confirmed fixed by vendor patches.
Local privilege escalation in FreeBSD 13.5 through 15.0 allows unprivileged processes to gain root privileges by exploiting a use-after-free condition in the TIOCNOTTY ioctl implementation. When a process detaches from its controlling terminal and exits, a dangling pointer in the terminal structure references freed session memory, which attackers can manipulate to escalate privileges. This vulnerability affects multiple stable and release branches with CVSS 8.4 (High) but low EPSS probability (0.02%, 5th percentile), indicating theoretical severity without observed widespread exploitation. Not listed in CISA KEV, suggesting no confirmed active exploitation at time of analysis.
Packet filter (pf) rule hash calculation regression in FreeBSD causes rules with address range syntax (x.x.x.x - y.y.y.y) differing only in address ranges to be silently dropped as duplicates, loading only the first rule and potentially causing unexpected packet filtering behavior including unintended blocking or allowing of traffic. The regression affects pf's duplicate detection mechanism but does not impact rules using CIDR notation (address/mask-bits syntax). Only the first of multiple such rules is loaded, creating a silent configuration failure with no warning to administrators.
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_sec) allows low-privileged authenticated attackers to execute arbitrary code via crafted network packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches. Publicly available exploit code exists (GitHub/Gist), though EPSS probability remains low (0.05%, 16th percentile) and CISA has not listed this in KEV, suggesting limited observed exploitation despite high CVSS 8.8 score and total technical impact per SSVC framework.
NVMe/TCP targets are vulnerable to unauthenticated denial of service when a remote attacker sends a CONNECT command with an invalid CNTLID, triggering a kernel panic on the exposed system. The vulnerability exploits a null pointer dereference that allows any network-accessible attacker to crash the target without authentication. No patch is currently available for this high-severity flaw.
This vulnerability is a memory leak in FreeBSD's TCP stack where the tcp_respond() function fails to properly free allocated memory buffers (mbufs) when challenge ACKs are not sent in response to crafted packets. FreeBSD systems of all versions are affected. An attacker with network access (either on-path with an established connection or able to establish one, or via spoofed packets) can trigger this leak repeatedly by sending specially crafted packets that exceed rate limits, causing heap exhaustion and potential denial of service through resource depletion.
The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. [CVSS 7.5 HIGH]
FreeBSD's blocklistd service leaks socket descriptors on each adverse event report, causing progressive service degradation until it can no longer block malicious IP addresses or process new reports. An attacker can exploit this by generating numerous fraudulent adverse events from disposable IP addresses to exhaust socket resources and disable the blocking mechanism before launching an actual attack. The vulnerability has a high severity rating (CVSS 7.5) and currently lacks a patch.
If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. [CVSS 7.5 HIGH]
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. [CVSS 8.8 HIGH]
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. [CVSS 7.5 HIGH]
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. [CVSS 7.2 HIGH]
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to exploit a signal handler race condition by failing to authenticate within the LoginGraceTime window, potentially yielding root-level code execution on glibc-based Linux systems. The flaw - widely known as 'regreSSHion' - affects numerous distributions and vendor appliances including Ubuntu 23.10/24.04, AlmaLinux 9, SonicWall SMA firmware, Arista EOS, NetApp ONTAP, and others. Publicly available exploit code exists and EPSS scores it at 48.06% (98th percentile), reflecting very high exploitation likelihood, though it is not currently listed in CISA KEV.
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.
`bhyveload -h <host-path>` may be used to grant loader access to the <host-path> directory tree on the host. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
sendmail through 8.17.2 allows SMTP smuggling in certain configurations. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.
When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device,. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket (tgt) from the Kerberos KDC (Key Distribution Center) over the network, as a way to. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
sys/netinet/tcp_timer.h in FreeBSD before 7.0 contains a denial-of-service (DoS) vulnerability due to improper handling of TSopt on TCP connections. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In FreeBSD 13.0-STABLE before n246938-0729ba2f49c9, 12.2-STABLE before r370383, 11.4-STABLE before r370381, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, the ggatec. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245765-bec0d2c9c841, 12.2-STABLE before r369859, 11.4-STABLE before r369866, 13.0-RELEASE before p1, 12.2-RELEASE before p7, and 11.4-RELEASE before p10, missing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245764-876ffe28796c, 12.2-STABLE before r369857, 13.0-RELEASE before p1, and 12.2-RELEASE before p7, a system call triggering a fault could cause SMAP protections to be. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r369551, 11.4-STABLE before r369559, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, copy-on-write logic failed to. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required.
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This NULL Pointer Dereference vulnerability could allow attackers to crash the application by dereferencing a null pointer.
bhyve, as used in FreeBSD through 12.1 and illumos (e.g., OmniOS CE through r151034 and OpenIndiana through Hipster 2020.04), does not properly restrict VMCS and VMCB read/write operations, as. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A memory corruption vulnerability was found in the kernel function kern_getfsstat in MidnightBSD before 1.2.7 and 1.3 through 2020-08-19, and FreeBSD through 11.4, that allows an attacker to trigger. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
In MidnightBSD before 1.2.6 and 1.3 before August 2020, and FreeBSD before 7, a NULL pointer dereference was found in the Linux emulation layer that allows attackers to crash the running kernel. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on. Rated high severity (CVSS 7.0). No vendor patch available.
In FreeBSD 12.1-STABLE before r362166, 12.1-RELEASE before p8, 11.4-STABLE before r362167, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, missing length validation code common to mulitple USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and 11.4-RELEASE before p1, long values in the user-controlled PATH environment variable cause posix_spawnp to write beyond the end. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 11.3-RELEASE before p11, missing synchronization in the IPV6_2292PKTOPTIONS. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-STABLE before r361919, 11.3-RELEASE before p10, and 11.4-RC2 before p1, an invalid memory location may be used for HID items if the. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.
In FreeBSD 12.1-STABLE before r360973, 12.1-RELEASE before p5, 11.4-STABLE before r360973, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, the FTP packet handler in libalias incorrectly calculates. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r360971, 12.1-RELEASE before p5, 11.4-STABLE before r360971, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, libalias does not properly validate packet length resulting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r359021, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r359020, and 11.3-RELEASE before 11.3-RELEASE-p7, a missing null termination check in the jail_set. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity.
In FreeBSD 12.1-STABLE before r357490, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r357489, and 11.3-RELEASE before 11.3-RELEASE-p7, incorrect use of a user-controlled pointer in the. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.
In FreeBSD 12.1-STABLE before r358739, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r358740, and 11.3-RELEASE before 11.3-RELEASE-p7, a TCP SYN-ACK or challenge TCP-ACK segment over IPv6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use of Uninitialized Resource vulnerability could allow attackers to access uninitialized memory causing crashes or information disclosure.
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r357214, and 11.3-RELEASE before 11.3-RELEASE-p6, URL handling in. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make. Rated high severity (CVSS 7.4), this vulnerability is low attack complexity. No vendor patch available.