Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-45258

Summary
Assigner-freebsd
Assigner Org ID-63664ac6-956c-4cba-a5d0-f46076e16109
Published At-27 Jun, 2026 | 08:50
Updated At-30 Jun, 2026 | 03:55
Rejected At-
Credits

Multiple vulnerabilities in the sound(4) mmap path

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:freebsd
Assigner Org ID:63664ac6-956c-4cba-a5d0-f46076e16109
Published At:27 Jun, 2026 | 08:50
Updated At:30 Jun, 2026 | 03:55
Rejected At:
â–¼CVE Numbering Authority (CNA)
Multiple vulnerabilities in the sound(4) mmap path

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

Affected Products
Vendor
FreeBSD FoundationFreeBSD
Product
FreeBSD
Modules
  • sound
Default Status
unknown
Versions
Affected
  • From 15.0-RELEASE before p10 (release)
  • From 14.4-RELEASE before p6 (release)
  • From 14.3-RELEASE before p15 (release)
Problem Types
TypeCWE IDDescription
CWECWE-125CWE-125 Out-of-bounds Read
CWECWE-190CWE-190 Integer Overflow or Wraparound
CWECWE-681CWE-681 Incorrect Conversion between Numeric Types
CWECWE-787CWE-787 Out-of-bounds Write
Type: CWE
CWE ID: CWE-125
Description: CWE-125 Out-of-bounds Read
Type: CWE
CWE ID: CWE-190
Description: CWE-190 Integer Overflow or Wraparound
Type: CWE
CWE ID: CWE-681
Description: CWE-681 Incorrect Conversion between Numeric Types
Type: CWE
CWE ID: CWE-787
Description: CWE-787 Out-of-bounds Write
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Lexpl0it, 75Acol, ch0wn, zer0duck
finder
Emmanuel Genier from Quarkslab
finder
Hazley Samsudin of GovTech CSG
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc
vendor-advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc
Resource:
vendor-advisory
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secteam@freebsd.org
Published At:27 Jun, 2026 | 09:16
Updated At:01 Jul, 2026 | 14:04

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
N/A
Type: Secondary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p14:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p7:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p8:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p9:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-125Secondarysecteam@freebsd.org
CWE-190Secondarysecteam@freebsd.org
CWE-681Secondarysecteam@freebsd.org
CWE-787Secondarysecteam@freebsd.org
CWE ID: CWE-125
Type: Secondary
Source: secteam@freebsd.org
CWE ID: CWE-190
Type: Secondary
Source: secteam@freebsd.org
CWE ID: CWE-681
Type: Secondary
Source: secteam@freebsd.org
CWE ID: CWE-787
Type: Secondary
Source: secteam@freebsd.org
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.ascsecteam@freebsd.org
Vendor Advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-26:27.sound.asc
Source: secteam@freebsd.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

1969Records found

CVE-2022-23086
Matching Score-10
Assigner-FreeBSD
ShareView Details
Matching Score-10
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 35.81%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 04:57
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mpr/mps/mpt driver ioctl heap out-of-bounds write

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-49416
Matching Score-10
Assigner-FreeBSD
ShareView Details
Matching Score-10
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.36%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:25
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integer overflow in vt(4) CONS_HISTORY ioctl

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-1999-0022
Matching Score-10
Assigner-MITRE Corporation
ShareView Details
Matching Score-10
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.50% / 38.87%
||
7 Day CHG~0.00%
Published-29 Sep, 1999 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Action-Not Available
Vendor-bsdin/absdiHP Inc.IBM CorporationSilicon Graphics, Inc.FreeBSD FoundationSun Microsystems (Oracle Corporation)
Product-sunosirixsolarisbsd_osfreebsdhp-uxaixn/afreebsdbsd_ossolarissunoshp-uxaixirix
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7270
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.18% / 7.62%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 07:02
Updated-10 May, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local privilege escalation via execve()

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2012-4576
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.42% / 33.73%
||
7 Day CHG~0.00%
Published-02 Dec, 2019 | 17:53
Updated-06 Aug, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeBSD: Input Validation Flaw allows local users to gain elevated privileges

Action-Not Available
Vendor-Debian GNU/LinuxFreeBSD Foundation
Product-freebsddebian_linuxFreeBSD
CWE ID-CWE-20
Improper Input Validation
CVE-2020-10566
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.34% / 26.08%
||
7 Day CHG~0.00%
Published-14 Mar, 2020 | 00:52
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdn/a
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2019-15878
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.32% / 23.57%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 15:38
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.1-STABLE before r352509, 11.3-STABLE before r352509, and 11.3-RELEASE before p9, an unprivileged local user can trigger a use-after-free situation due to improper checking in SCTP when an application tries to update an SCTP-AUTH shared key.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2022-23084
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.24% / 15.40%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 04:52
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential jail escape vulnerabilities in netmap

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2006-6165
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.34% / 25.80%
||
7 Day CHG+0.02%
Published-29 Nov, 2006 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which allows local users to gain privileges by passing certain environment variables to loading processes. NOTE: this issue has been disputed by a third party, stating that it is the responsibility of the application to properly sanitize the environment

Action-Not Available
Vendor-n/aFreeBSD FoundationNetBSD
Product-freebsdnetbsdn/a
CVE-2026-49412
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.25%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:02
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free bug in the IPV6_MSFILTER socket option handler

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. An unprivileged local user can exploit this use-after-free to escalate privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2026-49414
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.34%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:22
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ASLR bypass for setuid executables via procctl(2)

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-179
Incorrect Behavior Order: Early Validation
CVE-2026-45250
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.41% / 32.82%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 08:37
Updated-22 May, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack buffer overflow via setcred(2)

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-45251
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.17% / 6.70%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 09:04
Updated-22 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel use-after-free via file descriptor syscalls

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2026-45257
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.88%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:50
Updated-27 Jun, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary file overwrite via the KTLS receive path

The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-123
Write-what-where Condition
CVE-2005-1036
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.38% / 29.69%
||
7 Day CHG~0.00%
Published-10 Apr, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain privileges.

Action-Not Available
Vendor-n/aFreeBSD FoundationAdvanced Micro Devices, Inc.
Product-freebsdamd64n/a
CWE ID-CWE-909
Missing Initialization of Resource
CVE-2026-39457
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.69%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 08:01
Updated-01 May, 2026 | 12:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow via select() file descriptor set overflow

When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2020-10565
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.41% / 32.92%
||
7 Day CHG~0.00%
Published-14 Mar, 2020 | 00:53
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the context of the grub-bhyve process, resulting in code execution as root on the host OS.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdn/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2021-29627
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.75% / 50.42%
||
7 Day CHG~0.00%
Published-07 Apr, 2021 | 14:45
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly freed a process supplied argument string. Additional operations on the socket can lead to a double free or use after free.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CWE ID-CWE-415
Double Free
CVE-2021-29631
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.29% / 20.37%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:00
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O descriptors. A malicious guest may cause the device model to operate on uninitialized I/O vectors leading to memory corruption, crashing of the bhyve process, and possibly arbitrary code execution in the bhyve process.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2019-17388
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.57% / 43.01%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 17:08
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.

Action-Not Available
Vendor-n/aLinux Kernel Organization, IncAviatrix Systems, Inc.FreeBSD FoundationMicrosoft Corporation
Product-freebsdwindowsvpn_clientlinux_kerneln/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-24717
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.46% / 36.64%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 18:03
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.

Action-Not Available
Vendor-openzfsn/aFreeBSD Foundation
Product-openzfsfreebsdn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-24716
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.48% / 38.06%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 18:03
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.

Action-Not Available
Vendor-openzfsn/aFreeBSD Foundation
Product-openzfsfreebsdn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-5606
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.59% / 43.96%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:33
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r349806, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, code which handles close of a descriptor created by posix_openpt fails to undo a signal configuration. This causes an incorrect signal to be raised leading to a write after free of kernel memory allowing a malicious user to gain root privileges or escape a jail.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2019-5603
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.62% / 45.50%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:16
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350263, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, system calls operating on file descriptors as part of mqueuefs did not properly release the reference allowing a malicious user to overflow the counter allowing access to files, directories, and sockets opened by processes owned by other users.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2019-5607
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.54% / 41.22%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:28
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350223, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, rights transmitted over a domain socket did not properly release a reference on transmission error allowing a malicious user to cause the reference counter to wrap, forcing a free event. This could allow a malicious local user to gain root privileges or escape from a jail.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-682
Incorrect Calculation
CVE-2019-5602
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.8||HIGH
EPSS-4.09% / 89.49%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 18:52
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349629, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-863
Incorrect Authorization
CVE-2024-51565
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-6.5||MEDIUM
EPSS-0.39% / 30.95%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 14:53
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bhyve(8) hda driver buffer over-read

The hda driver is vulnerable to a buffer over-read from a guest-controlled value.

Action-Not Available
Vendor-FreeBSD Foundation
Product-FreeBSDfreebsd
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-51562
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 31.60%
||
7 Day CHG~0.00%
Published-12 Nov, 2024 | 14:44
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bhyve(8) nvme_opc_get_log_page buffer over-read

The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.

Action-Not Available
Vendor-FreeBSD Foundation
Product-FreeBSDfreebsd
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-5600
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-4.86% / 90.97%
||
7 Day CHG~0.00%
Published-03 Jul, 2019 | 18:50
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r349622, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349624, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in iconv implementation may allow an attacker to write past the end of an output buffer. Depending on the implementation, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CVE-2019-5608
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-2.13% / 79.69%
||
7 Day CHG~0.00%
Published-29 Aug, 2019 | 21:54
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r350648, 12.0-RELEASE before 12.0-RELEASE-p9, 11.3-STABLE before r350650, 11.3-RELEASE before 11.3-RELEASE-p2, and 11.2-RELEASE before 11.2-RELEASE-p13, the ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.

Action-Not Available
Vendor-n/aFreeBSD FoundationNetApp, Inc.
Product-freebsdclustered_data_ontapFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-45287
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-9.1||CRITICAL
EPSS-0.51% / 39.80%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 03:18
Updated-26 Sep, 2024 | 15:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in libnv

A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-131
Incorrect Calculation of Buffer Size
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2022-23085
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-0.49% / 38.57%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 04:52
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential jail escape vulnerabilities in netmap

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-43110
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.4||HIGH
EPSS-0.40% / 31.52%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 04:31
Updated-04 Nov, 2025 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple issues in ctl(4) CAM Target Layer

The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-23089
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-4.7||MEDIUM
EPSS-0.18% / 7.27%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 05:07
Updated-04 Jun, 2025 | 21:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out of bound read in elf_note_prpsinfo()

When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to crash.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-23092
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.8||HIGH
EPSS-0.65% / 46.79%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 05:13
Updated-04 Jun, 2025 | 22:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing bounds check in 9p message handling

The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a malicious bhyve guest kernel to overwrite memory in the bhyve(8) process. This could potentially lead to user-mode code execution on the host, subject to bhyve's Capsicum sandbox.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-41721
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.1||HIGH
EPSS-0.78% / 51.30%
||
7 Day CHG-0.01%
Published-20 Sep, 2024 | 07:51
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bhyve(8) out-of-bounds read access via XHCI emulation

An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution.

Action-Not Available
Vendor-FreeBSD Foundation
Product-FreeBSDfreebsd
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-41928
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.4||HIGH
EPSS-0.24% / 15.47%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 03:32
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bhyve(8) privileged guest escape via TPM device passthrough

Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

Action-Not Available
Vendor-FreeBSD Foundation
Product-FreeBSDfreebsd
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
CWE ID-CWE-787
Out-of-bounds Write
CVE-2019-12900
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-8.04% / 94.09%
||
7 Day CHG~0.00%
Published-19 Jun, 2019 | 22:07
Updated-09 Jun, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Action-Not Available
Vendor-bzipn/aCanonical Ltd.Python Software FoundationFreeBSD FoundationDebian GNU/LinuxopenSUSE
Product-debian_linuxleapubuntu_linuxpythonfreebsdbzip2n/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2022-23087
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.8||HIGH
EPSS-0.21% / 11.04%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 05:01
Updated-27 Mar, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bhyve e82545 device emulation out-of-bounds write

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context. The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-32668
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.2||HIGH
EPSS-0.21% / 11.61%
||
7 Day CHG~0.00%
Published-05 Sep, 2024 | 04:42
Updated-20 Sep, 2024 | 16:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
bhyve(8) privileged guest escape via USB controller

An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-787
Out-of-bounds Write
CWE ID-CWE-193
Off-by-one Error
CVE-2004-0112
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-10.42% / 95.18%
||
7 Day CHG~0.00%
Published-18 Mar, 2004 | 05:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.

Action-Not Available
Vendor-scoforcepointstonesoftlitespeedtech4dbluecoatneoteristarantellasecurecomputingn/aApple Inc.HP Inc.Symantec CorporationDell Inc.VMware (Broadcom Inc.)Cisco Systems, Inc.Silicon Graphics, Inc.FreeBSD FoundationAvaya LLCCheck Point Software Technologies Ltd.Red Hat, Inc.OpenBSDNovellOpenSSLSun Microsystems (Oracle Corporation)
Product-sg200serverclusteraccess_registrarimanagerinstant_virtual_extranetstonebeat_webclustercontent_services_switch_11500enterprise_linuxopenservermds_9000hp-uxiosprovider-1edirectorycall_managermac_os_x_serverstonebeat_fullclusterlinuxpropackfreebsdintuity_audixcrypto_accelerator_4000litespeed_web_serverproxysggss_4490_global_site_selectorvsuenterprise_linux_desktopapache-based_web_serverstonebeat_securityclusterfirewall-1wbemgsx_serversg208ciscoworks_common_serviceswebnsstonegateconverged_communications_serverpix_firewallmac_os_xvpn-1application_and_content_networking_softwarefirewall_services_modulesg203sidewinderbsafe_ssl-jwebstaraaa_servertarantella_enterpriseokena_stormwatchsecure_content_acceleratoropenbsdcss_secure_content_accelerators8500threat_responseopensslciscoworks_common_management_foundationsg5s8700gss_4480_global_site_selectorpix_firewall_softwareclientless_vpn_gateway_4400cacheos_ca_sacss11000_content_services_switchs8300n/a
CWE ID-CWE-125
Out-of-bounds Read
CVE-2018-7183
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-10.78% / 95.30%
||
7 Day CHG~0.00%
Published-08 Mar, 2018 | 20:00
Updated-05 Aug, 2024 | 06:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.

Action-Not Available
Vendor-ntpn/aFreeBSD FoundationNetApp, Inc.Canonical Ltd.
Product-freebsdntpelement_softwareubuntu_linuxn/a
CWE ID-CWE-787
Out-of-bounds Write
CVE-2020-7461
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-7.3||HIGH
EPSS-4.47% / 90.29%
||
7 Day CHG~0.00%
Published-26 Mar, 2021 | 20:55
Updated-04 Aug, 2024 | 09:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.1-STABLE before r365010, 11.4-STABLE before r365011, 12.1-RELEASE before p9, 11.4-RELEASE before p3, and 11.3-RELEASE before p13, dhclient(8) fails to handle certain malformed input related to handling of DHCP option 119 resulting a heap overflow. The heap overflow could in principle be exploited to achieve remote code execution. The affected process runs with reduced privileges in a Capsicum sandbox, limiting the immediate impact of an exploit.

Action-Not Available
Vendor-n/aSiemens AGFreeBSD Foundation
Product-freebsdsimatic_rf350m_firmwaresimatic_rf650m_firmwaresimatic_rf350msimatic_rf650mFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CVE-2018-6917
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-7.5||HIGH
EPSS-2.03% / 78.72%
||
7 Day CHG~0.00%
Published-04 Apr, 2018 | 14:00
Updated-17 Sep, 2024 | 01:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, 10.4-RELEASE-p8 and 10.3-RELEASE-p28, insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Unprivileged users may be able to access privileged kernel data.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-45253
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-8.4||HIGH
EPSS-0.20% / 9.56%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 09:17
Updated-22 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Missing validation in ptrace(PT_SC_REMOTE)

ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-3107
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-7.5||HIGH
EPSS-0.54% / 41.42%
||
7 Day CHG~0.00%
Published-01 Aug, 2023 | 22:01
Updated-09 Jul, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Remote denial of service in IPv6 fragment reassembly

A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.

Action-Not Available
Vendor-NetApp, Inc.FreeBSD Foundation
Product-freebsdclustered_data_ontapFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2018-17157
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-24.17% / 97.58%
||
7 Day CHG~0.00%
Published-04 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error when handling opcodes can cause memory corruption by sending a specially crafted NFSv4 request. Unprivileged remote users with access to the NFS server may be able to execute arbitrary code.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2018-17158
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-7.5||HIGH
EPSS-4.41% / 90.16%
||
7 Day CHG~0.00%
Published-04 Dec, 2018 | 15:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD before 11.2-STABLE(r340854) and 11.2-RELEASE-p5, an integer overflow error can occur when handling the client address length field in an NFSv4 request. Unprivileged remote users with access to the NFS server can crash the system by sending a specially crafted NFSv4 request.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2018-17156
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-5.9||MEDIUM
EPSS-1.63% / 73.29%
||
7 Day CHG~0.00%
Published-28 Nov, 2018 | 16:00
Updated-05 Aug, 2024 | 10:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD before 11.2-STABLE(r340268) and 11.2-RELEASE-p5, due to incorrectly accounting for padding on 64-bit platforms, a buffer underwrite could occur when constructing an ICMP reply packet when using a non-standard value for the net.inet.icmp.quotelen sysctl.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-3038
Matching Score-6
Assigner-FreeBSD
ShareView Details
Matching Score-6
Assigner-FreeBSD
CVSS Score-7.5||HIGH
EPSS-0.47% / 37.18%
||
7 Day CHG~0.00%
Published-09 Mar, 2026 | 12:25
Updated-17 Mar, 2026 | 15:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Local DoS and possible privilege escalation via routing sockets

The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-787
Out-of-bounds Write
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 39
  • 40
  • Next
Details not found