A vulnerability (CVE-2026-7270) has been discovered in FreeBSD that allows an unprivileged user to execute kernel code and gain root access to the system. The vulnerability affects all FreeBSD releases released since 2013. An exploit has been publicly available and has been tested on systems running FreeBSD 11.0 through 14.4. The vulnerability was fixed in FreeBSD 15.0-RELEASE-p7, 14.4-RELEASE-p3, 14.3-RELEASE-p12, and 13.5-RELEASE-p13. A patch is available for older releases.
The issue is caused by a buffer overflow in the execve system call. This occurs when processing the prefix specified in the first line of scripts to determine the path to the interpreter (for example, "#!/bin/sh"). The overflow occurs during a call to the memmove function due to an incorrectly constructed mathematical expression for calculating the size of arguments copied to the buffer. Instead of subtracting the values of "args->begin_argv" and "consume" from "args->endp", only the value of "args->begin_argv" was subtracted from "args->endp", and the variable "consume" was added to the result, rather than subtracted, i.e., as a result, more data was copied by two values of "consume". memmove(args->begin_argv + extend, args->begin_argv + consume, - args->endp - args->begin_argv + consume); + args->endp — (args->begin_argv + consume));
The overflow allows overwriting elements of the "exec_map" structure allocated in adjacent memory from another process. The exploit uses the overflow to overwrite the contents of the "exec_map" of privileged processes periodically launched on the system. The chosen process is sshd, which, each time a network connection is established, forks and execves the "/usr/libexec/sshd-session" process with root privileges.
The exploit substitutes the "LD_PRELOAD=/tmp/evil.so" environment variable for this process, causing its library to be loaded in the sshd-session context. The injected library creates an executable file named /tmp/rootsh in the filesystem with the suid root flag. The success rate of the exploit is estimated at 0.6%, but thanks to the cyclical retry, successful exploitation is achieved in approximately 6 seconds on a system with a 4-core CPU.
Additionally, several more vulnerabilities have been fixed in FreeBSD:
- CVE-2026-35547 and CVE-2026-39457 are buffer overflows in the libnv library, which is used in the kernel and in base system applications to process key/value lists and handle interprocess communication. The first issue is caused by incorrectly calculating the message size when processing specially crafted IPC message headers. The second issue results in a stack overflow during socket communication due to a lack of checks to ensure that the socket descriptor size matches the buffer size used in the select() function. These vulnerabilities can potentially be exploited to escalate privileges.
- CVE-2026-42512 is a remotely exploitable buffer overflow in dhclient due to incorrect calculation of the size of a pointer array used to pass environment variables to dhclient-script. It is possible to create an exploit for remote code execution by sending a specially crafted DHCP packet.
- CVE-2026-7164 – A stack overflow vulnerability in the pf packet filter occurs when processing specially crafted SCTP packets. The issue is caused by unbounded recursive parsing of SCTP parameters.
- CVE-2026-42511 – It is possible to insert arbitrary directives into dhclient.conf due to inadequate escaping of double brackets in BOOTP fields received from an external DHCP server. When the dhclient process subsequently parses this file, the attacker's specified field is passed to dhclient-script, which can be used to execute arbitrary commands with root privileges on systems running dhclient when accessing a DHCP server controlled by the attacker.
- CVE-2026-6386 — Insufficient handling of large memory pages in the pmap_pkru_update_range() kernel function. An unprivileged user can cause pmap_pkru_update_range() to treat user-space memory as a page in the memory page table, thereby overwriting an unauthorized memory region.
- CVE-2026-5398 - A reference to a previously freed memory region in the TIOCNOTTY handler allows an unprivileged process to gain root privileges.
Source: opennet.ru
