Stack-based buffer overflow in FreeBSD - CVE-2026-49420

 

Stack-based buffer overflow in FreeBSD - CVE-2026-49420

Published: July 1, 2026


Vulnerability identifier: #VU136011
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-49420
CWE-ID: CWE-121
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: FreeBSD Foundation
Affected software:
FreeBSD

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to stack-based buffer overflow in the libalias RTSP handler when processing crafted outbound RTSP traffic during NAT translation. A remote attacker can send crafted RTSP traffic to execute arbitrary code.

The issue can affect kernel context when using ipfw(4) NAT or the natd(8) process, and only occurs for outbound TCP or UDP traffic involving port 554 or 7070.


How to mitigate CVE-2026-49420

Install security update from vendor's website.

Sources