SB20260422182 - Two privilege escalation vulnerabilities in FreeBSD

Description

This security bulletin contains information about 2 vulnerabilities.

1) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-6386)

CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to overwrite memory to which the application would otherwise not have access.

The vulnerability exists due to improper handling of large page mappings in pmap_pkru_update_range() when applying protection keys to an address range. A local user can cause the kernel to treat userspace memory as a page table page to overwrite memory to which the application would otherwise not have access.

The issue only affects amd64 systems and involves 1GB largepage mappings created using the shm_create_largepage(3) interface.

2) Use-after-free (CVE-ID: CVE-2026-5398)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to use-after-free in the TIOCNOTTY handler when processing the TIOCNOTTY ioctl operation. A local user can invoke the ioctl and then exit the process to escalate privileges.

Unprivileged processes may use this ioctl.

Remediation

Install update from vendor's website.

References

• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:11.amd64.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:10.tty.asc