SB2026043012 - Multiple vulnerabilities in FreeBSD

Description

This security bulletin contains information about 6 vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2026-35547)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges or cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in libnv when processing the header of an incoming message. A local user can send a specially crafted message to escalate privileges or cause a denial of service.

2) Stack-based buffer overflow (CVE-ID: CVE-2026-39457)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a stack-based buffer overflow in libnv when exchanging data over a socket using a socket descriptor that exceeds FD_SETSIZE. A local user can force a libnv application to allocate large file descriptors to escalate privileges.

If the target application is setuid-root, successful exploitation could result in privilege escalation.

3) Heap-based buffer overflow (CVE-ID: CVE-2026-42512)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code or cause a denial of service.

The vulnerability exists due to a heap-based buffer overflow in dhclient when processing a crafted DHCP offer while building environment entries for dhclient-script. A remote attacker can send a specially crafted DHCP packet to execute arbitrary code or cause a denial of service.

Exploitation requires the attacker to be on the same broadcast domain and able to respond to DHCP requests.

4) Stack-based buffer overflow (CVE-ID: CVE-2026-7164)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in pf SCTP packet parsing when processing crafted SCTP packets. A remote attacker can send a specially crafted SCTP packet to cause a denial of service.

This affects systems where pf is configured to process traffic, independent of the configured ruleset.

5) Stack-based buffer overflow (CVE-ID: CVE-2026-7270)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a buffer overflow caused by an operator precedence bug in execve(2) when processing executable images and script interpreter paths. A local user can execute a crafted program to overwrite adjacent execve(2) argument buffers and escalate privileges.

6) Improper Neutralization of Special Elements in Output Used by a Downstream Component (CVE-ID: CVE-2026-42511)

CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of special elements in the lease file handling in dhclient when processing malicious DHCP options from a rogue DHCP server on the same broadcast domain. A remote attacker can send crafted DHCP responses containing a BOOTP file field with embedded double-quotes to execute arbitrary code.

Code execution occurs when the lease file is later re-parsed, such as after a system restart, and attacker-controlled content is passed to dhclient-script(8) for evaluation.

Remediation

Install update from vendor's website.

References

• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:17.libnv.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:16.libnv.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:15.dhclient.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:14.pf.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:12.dhclient.asc