SB2026070104 - Multiple vulnerabilities in FreeBSD



SB2026070104 - Multiple vulnerabilities in FreeBSD

Published: July 1, 2026

Security Bulletin ID SB2026070104
CSH Severity
High
Patch available
YES
Number of vulnerabilities 17
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 6% Medium 18% Low 76%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 17 vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2026-49421)

CWE-ID: CWE-285 - Improper Authorization

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to delete files outside the intended directory tree.

The vulnerability exists due to improper access control in unlinkat(2) and funlinkat(2) when processing paths with the AT_RESOLVE_BENEATH flag. A local user can supply a path that resolves above the starting directory to delete files outside the intended directory tree.

The issue occurs because the flag is validated but not passed to the underlying path lookup, so path containment is not enforced.


2) Use-after-free (CVE-ID: CVE-2026-49418)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to use-after-free in the device pager page list when calling msync(MS_INVALIDATE) on a mapping of an unmanaged device object and then triggering a subsequent page fault. A local user can access a device that provides memory-mapped I/O and trigger the flaw to escalate privileges.

Exploitation is limited to systems where the user can access a device that provides memory-mapped I/O.


3) Double free (CVE-ID: CVE-2026-49419)

CWE-ID: CWE-415 - Double Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a double free in kern_jail_set() and kern_jail_get() when handling the JAIL_AT_DESC flag and a failed jail descriptor lookup. A local user can trigger the affected system calls to escalate privileges.

On the jail host, exploitation will generally result in an immediate panic instead of privilege escalation. Privilege escalation may be possible when the user is running inside a jail.


4) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2026-49415)

CWE-ID: CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to a time-of-check time-of-use race condition in execve(2) when executing a set-user-ID binary. A local user can access and modify the target process memory via procfs or linprocfs during the credential transition window to escalate privileges.

The issue occurs because the new virtual address space is installed before process credentials are updated.


5) Heap-based buffer overflow (CVE-ID: CVE-2026-49429)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to heap-based buffer overflow in the ZFS_IOC_USERSPACE_MANY ioctl when processing a userspace output buffer size. A local user can trigger the ioctl with a crafted 64-bit buffer size to escalate privileges.

Exploitation requires the delegated ZFS permission "userused".


6) Integer overflow (CVE-ID: CVE-2026-49430)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause memory corruption.

The vulnerability exists due to improper integer truncation in the ZFS_IOC_RECV_NEW ioctl when handling a crafted receive stream in heal mode. A local user can send a crafted receive stream to cause memory corruption.

Exploitation requires the delegated ZFS permission "receive" and the heal receive path.


7) Improper access control (CVE-ID: CVE-2026-49431)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local attacker to modify internal ZFS metadata.

The vulnerability exists due to improper access control in the ZFS_IOC_SET_PROP ioctl when validating the calling user for dataset property updates. A local attacker can set the "$hasrecvd" dataset metadata flag to modify internal ZFS metadata.


8) Stack-based buffer overflow (CVE-ID: CVE-2026-49420)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to stack-based buffer overflow in the libalias RTSP handler when processing crafted outbound RTSP traffic during NAT translation. A remote attacker can send crafted RTSP traffic to execute arbitrary code.

The issue can affect kernel context when using ipfw(4) NAT or the natd(8) process, and only occurs for outbound TCP or UDP traffic involving port 554 or 7070.


9) Use-after-free (CVE-ID: CVE-2026-49422)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to use-after-free in the TCP RACK setsockopt(2) handler when copying option data from userspace while the TCP stack is switched twice during a lock drop window. A local user can switch TCP stacks twice during this window to escalate privileges.

Only systems with the tcp_rack.ko kernel module loaded are vulnerable.


10) Stack-based buffer overflow (CVE-ID: CVE-2026-58082)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a buffer overflow.

The vulnerability exists due to stack-based buffer overflow in the ISO-2022 encoding module when converting untrusted input using ISO-2022 variants that require more than 6 bytes of intermediate character output. A remote attacker can supply crafted input to trigger a stack buffer overflow.

Some ISO-2022 variants can require up to 10 bytes per character, allowing an overflow of up to four bytes.


11) Use-after-free (CVE-ID: CVE-2026-49427)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to use-after-free in POSIX largepage shared memory objects when transmitting such an object with sendfile(2) using the SF_NOCACHE flag. A local user can send a largepage shared memory object through sendfile(2) with the SF_NOCACHE flag to escalate privileges.

Existing mappings can continue to refer to the freed pages after transmission.


12) Input validation error (CVE-ID: CVE-2026-49428)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to escalate privileges.

The vulnerability exists due to improper input validation in largepage shared memory object operations when invoking unsupported system calls such as open(2) with the O_TRUNC flag set or fspacectl(2). A local user can invoke unsupported operations on a largepage object to escalate privileges.

These operations are not permitted on largepage objects, but the implementation did not verify this.


13) Insufficient Logging (CVE-ID: CVE-2026-49426)

CWE-ID: CWE-778 - Insufficient Logging

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to produce misleading audit trails.

The vulnerability exists due to incorrect audit record generation in the audit(4) facility for ptrace(2) PT_SC_REMOTE syscall auditing when recording the outcome of remotely executed system calls. A local user can debug a process and execute system calls via ptrace(PT_SC_REMOTE) to produce misleading audit trails.

Only systems using audit(4) are affected, and the issue can undermine audit-based intrusion detection systems.


14) Use of uninitialized resource (CVE-ID: CVE-2026-49423)

CWE-ID: CWE-908 - Use of Uninitialized Resource

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uninitialized memory access in ktls_ocf_tls_cbc_decrypt() when processing received TLS 1.2 CBC records. A remote attacker can send network traffic that causes the kernel to read uninitialized iovec entries to cause a denial of service.

Only systems using receive-side KTLS are affected, and exploitation requires control of TCP segmentation so that the first mbuf of a CBC record contains only the 5-byte TLS record header.


15) Use of Uninitialized Variable (CVE-ID: CVE-2026-49424)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized memory usage in the Linux waitid() implementation when translating a FreeBSD siginfo_t struct into a stack-declared Linux siginfo_t. A local user can invoke waitid() via the Linux compatibility layer to disclose sensitive information.

Only systems with the Linux binary compatibility layer loaded are vulnerable, and up to 104 bytes of uninitialized kernel stack data may be exposed.


16) Use of Uninitialized Variable (CVE-ID: CVE-2026-49425)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to uninitialized stack memory in the compat32 kevent() handler when translating a 64-bit kevent structure into a 32-bit structure. A local user can invoke the affected system call to disclose sensitive information.

The issue affects 32-bit compatibility support for executing 32-bit binaries on 64-bit platforms.


17) Out-of-bounds write (CVE-ID: CVE-2026-58081)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a buffer overflow.

The vulnerability exists due to improper input validation in multiple iconv(3) encoding modules when converting untrusted input to or from affected encodings. A remote attacker can supply crafted input to trigger a buffer overflow.

The issue affects encoding modules including HZ, UTF-7, VIQR, and ZW.


Remediation

Install update from vendor's website.