SB2026052111 - Multiple vulnerabilities in FreeBSD
Published: May 21, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-45254)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to extend previously restricted network permissions.
The vulnerability exists due to improper access control in libcap_net when applying a new limitation list that omits keys present in the old limit. A local user can request a new limit with missing keys to extend previously restricted network permissions.
Exploitation is limited to certain scenarios involving Capsicum-sandboxed applications using the cap_net service.
2) Command injection (CVE-ID: CVE-2026-45255)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to command injection in Wi-Fi network name handling in bsdinstall and bsdconfig when scanning for nearby Wi-Fi networks. A remote attacker can create an access point with a specially crafted network name to execute arbitrary code.
User interaction is required to initiate a Wi-Fi scan, but the malicious network does not need to be selected.
3) Stack-based buffer overflow (CVE-ID: CVE-2026-39461)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to stack-based buffer overflow in libcasper when handling socket descriptors that exceed select(2) descriptor set limits. A local user can cause an application using libcasper to allocate large file descriptors to escalate privileges.
Exploitation requires a target application that uses libcasper, and privilege escalation is possible if that application runs with setuid root privileges.
4) Input validation error (CVE-ID: CVE-2026-45253)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper input validation in ptrace(PT_SC_REMOTE) when handling syscall(2) and __syscall(2) meta-system calls. A local user can supply crafted parameters to trigger arbitrary code execution in the kernel to escalate privileges.
Exploitation requires the ability to debug a process.
5) Heap-based buffer overflow (CVE-ID: CVE-2026-45252)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to disclose sensitive information or corrupt kernel heap memory.
The vulnerability exists due to a heap-based buffer overflow in the fusefs kernel module FUSE_LISTXATTR handling when processing a daemon-supplied extended attribute list. A local user can send a non-NUL-terminated list of extended attributes to disclose sensitive information or corrupt kernel heap memory.
Exploitation requires control of a fusefs userspace daemon, and unprivileged use depends on the vfs.usermount sysctl being enabled.
6) Use-after-free (CVE-ID: CVE-2026-45251)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in the kernel file descriptor handling code when a file descriptor is closed while a thread is blocked in poll(2) or select(2) waiting on that descriptor. A local user can close a file descriptor during a blocked poll(2) or select(2) operation to escalate privileges.
The issue affects some file descriptor types where blocked threads are not unlinked from the per-object wait queue before the underlying object is freed.
7) Stack-based buffer overflow (CVE-ID: CVE-2026-45250)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to stack-based buffer overflow in the setcred(2) system call when copying a user-supplied supplementary groups list into a fixed-size kernel stack buffer. A local user can supply an oversized supplementary groups list to execute arbitrary code.
The issue can be triggered before the caller's privilege level is checked, and successful exploitation occurs in the context of the kernel.
Remediation
Install update from vendor's website.
References
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:24.cap_net.asc
- https://cgit.freebsd.org/src/commit/?id=7eb3fd691d64
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:23.bsdinstall.asc
- https://cgit.freebsd.org/src/commit/?id=6f5674b97fd6
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:22.libcasper.asc
- https://cgit.freebsd.org/src/commit/?id=23929d729d1a
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:21.ptrace.asc
- https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:20.fusefs.asc
- https://cgit.freebsd.org/src/commit/?id=df3f3fa82775
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:19.file.asc
- https://cgit.freebsd.org/src/commit/?id=53a78e582a6f
- https://www.freebsd.org/security/advisories/FreeBSD-SA-26:18.setcred.asc
- https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch