SB2026061165 - Multiple vulnerabilities in FreeBSD
Published: June 11, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Missing Authorization (CVE-ID: CVE-2026-45256)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper access control in thr_kill2(2) when delivering signals to a specific thread. A local user can send signals to processes they are not permitted to signal to cause a denial of service.
The issue also bypasses jail boundary enforcement, allowing signaling across jails or from a jail to the host. Knowledge or brute-force discovery of process and thread IDs is sufficient for exploitation.
2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-45257)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to overwrite arbitrary files and escalate privileges.
The vulnerability exists due to improper handling of file-backed memory in the KTLS receive path when decrypting TLS records received over a loopback connection. A local user can send a readable file over a loopback connection with KTLS receive enabled to overwrite arbitrary files and escalate privileges.
The issue affects software KTLS on the receive path, and the overwrite can modify the page cache directly, bypassing file flags such as schg.
3) Use-after-free (CVE-ID: CVE-2026-49417)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to read and write kernel memory.
The vulnerability exists due to a use-after-free in the sound(4) mmap path when a mapped audio buffer remains accessible after the device is closed. A local user can keep using the stale mapping after closing the device to read and write kernel memory.
On systems with an audio device, the /dev/dsp device nodes are world-accessible by default.
4) Integer overflow (CVE-ID: CVE-2026-45258)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to read and write kernel memory.
The vulnerability exists due to an integer overflow in dsp_mmap_single() when validating a user-supplied mmap offset and length. A local user can supply a large offset and length to obtain a mapping beyond the audio buffer and read and write kernel memory.
On systems with an audio device, the /dev/dsp device nodes are world-accessible by default.
5) Improper access control (CVE-ID: CVE-2026-45259)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to interfere with other processes.
The vulnerability exists due to improper access control in kern_sigqueue when sending signals via sigqueue(2) from a process in capability mode. A local user can send signals to processes other than the calling process to interfere with other processes.
This issue allows bypass of Capsicum sandbox restrictions and may affect processes running as the same user, or any process if the sandboxed process runs with superuser privileges.
6) Use-after-free (CVE-ID: CVE-2026-49412)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to use-after-free in the IPV6_MSFILTER socket option handler when copying the source-filter list from userspace. A local user can trigger concurrent operations to reuse a stale pointer to freed memory and escalate privileges.
The issue occurs in the IPv6 multicast subsystem while handling source-specific multicast filtering via setsockopt(2).
7) Improper privilege management (CVE-ID: CVE-2026-49413)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management in the Linuxulator execution of set-user-ID and set-group-ID Linux binaries when constructing the ELF auxiliary vector during execve(2). A local user can inject a shared library via LD_PRELOAD to escalate privileges.
Only systems with the Linux compatibility module loaded and Linux set-user-ID or set-group-ID executables present are vulnerable.
8) Always-Incorrect Control Flow Implementation (CVE-ID: CVE-2026-49414)
CWE-ID: CWE-670 - Always-Incorrect Control Flow Implementation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to weaken address space layout randomization protections for setuid executables.
The vulnerability exists due to improper initialization order in the ELF image activator when executing a setuid PIE binary after disabling ASLR with procctl(2). A local user can call procctl(2) before execve(2) to weaken address space layout randomization protections for setuid executables.
This issue affects setuid or setgid PIE binaries and can make exploitation of a separate memory corruption vulnerability significantly easier.
9) Integer overflow (CVE-ID: CVE-2026-49416)
CWE-ID: CWE-190 - Integer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to integer overflow in the vt(4) CONS_HISTORY ioctl handler when resizing the scrollback history buffer of a virtual terminal. A local user can supply a large history size value to trigger an out-of-bounds write in the kernel and escalate privileges.
Exploitation requires access to a vt(4) device.
10) Insufficient verification of data authenticity (CVE-ID: CVE-2026-10846)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to spoof DNS responses and inject arbitrary DNS data.
The vulnerability exists due to improper response validation in the ldns stub resolver when processing UDP DNS responses. A remote attacker can send a spoofed UDP response to spoof DNS responses and inject arbitrary DNS data.
The issue affects ldns when used as a stub resolver over UDP and can be exploited by an off-path adversary that cannot observe the original query.
Remediation
Install update from vendor's website.
References
- https://cgit.freebsd.org/src/commit/?id=afa0c67a1ba3
- https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc
- https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch
- https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch
- https://cgit.freebsd.org/src/commit/?id=defd9b86ef99
- https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast.patch
- https://cgit.freebsd.org/src/commit/?id=3ac9726c4269
- https://cgit.freebsd.org/src/commit/?id=e1cdc49846c1
- https://cgit.freebsd.org/src/commit/?id=deaaddf1d3c4
- https://cgit.freebsd.org/src/commit/?id=20bfab98f8ae