Improper Authorization in FreeBSD - CVE-2026-49421

 

Improper Authorization in FreeBSD - CVE-2026-49421

Published: July 1, 2026


Vulnerability identifier: #VU136012
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-49421
CWE-ID: CWE-285
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: FreeBSD Foundation
Affected software:
FreeBSD

Detailed vulnerability description

The vulnerability allows a local user to delete files outside the intended directory tree.

The vulnerability exists due to improper access control in unlinkat(2) and funlinkat(2) when processing paths with the AT_RESOLVE_BENEATH flag. A local user can supply a path that resolves above the starting directory to delete files outside the intended directory tree.

The issue occurs because the flag is validated but not passed to the underlying path lookup, so path containment is not enforced.


How to mitigate CVE-2026-49421

Install security update from vendor's website.

Sources