Main Vulnerability Database Vulnerabilities #VU134369

Improper control of a resource through its lifetime in FreeBSD - CVE-2026-45257

Published: June 11, 2026

Vulnerability identifier: #VU134369

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-45257

CWE-ID: CWE-664

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: FreeBSD Foundation

Affected software:
FreeBSD

Detailed vulnerability description

The vulnerability allows a local user to overwrite arbitrary files and escalate privileges.

The vulnerability exists due to improper handling of file-backed memory in the KTLS receive path when decrypting TLS records received over a loopback connection. A local user can send a readable file over a loopback connection with KTLS receive enabled to overwrite arbitrary files and escalate privileges.

The issue affects software KTLS on the receive path, and the overwrite can modify the page cache directly, bypassing file flags such as schg.

How to mitigate CVE-2026-45257

Install security update from vendor's website.

Sources

https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc

Improper control of a resource through its lifetime in FreeBSD - CVE-2026-45257

Detailed vulnerability description

How to mitigate CVE-2026-45257

Sources

Please verify you're human