Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-7270

Summary
Assigner-freebsd
Assigner Org ID-63664ac6-956c-4cba-a5d0-f46076e16109
Published At-30 Apr, 2026 | 07:02
Updated At-10 May, 2026 | 06:55
Rejected At-
Credits

Local privilege escalation via execve()

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:freebsd
Assigner Org ID:63664ac6-956c-4cba-a5d0-f46076e16109
Published At:30 Apr, 2026 | 07:02
Updated At:10 May, 2026 | 06:55
Rejected At:
â–¼CVE Numbering Authority (CNA)
Local privilege escalation via execve()

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.

Affected Products
Vendor
FreeBSD FoundationFreeBSD
Product
FreeBSD
Modules
  • kernel
Default Status
unknown
Versions
Affected
  • From 15.0-RELEASE before p7 (release)
  • From 14.4-RELEASE before p3 (release)
  • From 14.3-RELEASE before p12 (release)
  • From 13.5-RELEASE before p13 (release)
Problem Types
TypeCWE IDDescription
CWECWE-783CWE-783: Operator Precedence Logic Error
Type: CWE
CWE ID: CWE-783
Description: CWE-783: Operator Precedence Logic Error
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Ryan Austin of Calif.io
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc
vendor-advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc
Resource:
vendor-advisory
â–¼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsd
N/A
https://news.ycombinator.com/item?id=48077971
N/A
Hyperlink: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsd
Resource: N/A
Hyperlink: https://news.ycombinator.com/item?id=48077971
Resource: N/A
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secteam@freebsd.org
Published At:30 Apr, 2026 | 07:16
Updated At:10 May, 2026 | 08:16

An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches

FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:beta3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p10:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p11:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p12:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>13.5
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.3
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>14.4
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
FreeBSD Foundation
freebsd
>>freebsd>>15.0
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-783Secondarysecteam@freebsd.org
CWE ID: CWE-783
Type: Secondary
Source: secteam@freebsd.org
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.ascsecteam@freebsd.org
Vendor Advisory
https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsdaf854a3a-2127-422b-91ae-364da2661108
N/A
https://news.ycombinator.com/item?id=48077971af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-26:13.exec.asc
Source: secteam@freebsd.org
Resource:
Vendor Advisory
Hyperlink: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsd
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://news.ycombinator.com/item?id=48077971
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

34Records found

CVE-2012-4576
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-7.8||HIGH
EPSS-0.42% / 33.73%
||
7 Day CHG~0.00%
Published-02 Dec, 2019 | 17:53
Updated-06 Aug, 2024 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeBSD: Input Validation Flaw allows local users to gain elevated privileges

Action-Not Available
Vendor-Debian GNU/LinuxFreeBSD Foundation
Product-freebsddebian_linuxFreeBSD
CWE ID-CWE-20
Improper Input Validation
CVE-2020-10566
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.34% / 26.08%
||
7 Day CHG~0.00%
Published-14 Mar, 2020 | 00:52
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, mishandles font loading by a guest through a grub2.cfg file, leading to a buffer overflow.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdn/a
CWE ID-CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CVE-2019-15878
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.32% / 23.57%
||
7 Day CHG~0.00%
Published-13 May, 2020 | 15:38
Updated-05 Aug, 2024 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.1-STABLE before r352509, 11.3-STABLE before r352509, and 11.3-RELEASE before p9, an unprivileged local user can trigger a use-after-free situation due to improper checking in SCTP when an application tries to update an SCTP-AUTH shared key.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2022-23084
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.24% / 15.40%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 04:52
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Potential jail escape vulnerabilities in netmap

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
CVE-2006-6165
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.34% / 25.80%
||
7 Day CHG+0.02%
Published-29 Nov, 2006 | 01:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which allows local users to gain privileges by passing certain environment variables to loading processes. NOTE: this issue has been disputed by a third party, stating that it is the responsibility of the application to properly sanitize the environment

Action-Not Available
Vendor-n/aFreeBSD FoundationNetBSD
Product-freebsdnetbsdn/a
CVE-2022-23086
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-9.8||CRITICAL
EPSS-0.45% / 35.81%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 04:57
Updated-13 Feb, 2025 | 16:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mpr/mps/mpt driver ioctl heap out-of-bounds write

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSDfreebsd
CWE ID-CWE-122
Heap-based Buffer Overflow
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-49412
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.10% / 1.25%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:02
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use-after-free bug in the IPV6_MSFILTER socket option handler

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. An unprivileged local user can exploit this use-after-free to escalate privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2026-49414
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.34%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:22
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ASLR bypass for setuid executables via procctl(2)

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-179
Incorrect Behavior Order: Early Validation
CVE-2026-49416
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.36%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 09:25
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Integer overflow in vt(4) CONS_HISTORY ioctl

The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-45250
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.41% / 32.82%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 08:37
Updated-22 May, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack buffer overflow via setcred(2)

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2026-45251
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.17% / 6.70%
||
7 Day CHG~0.00%
Published-21 May, 2026 | 09:04
Updated-22 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kernel use-after-free via file descriptor syscalls

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2026-45257
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.88%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 14:50
Updated-27 Jun, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary file overwrite via the KTLS receive path

The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-123
Write-what-where Condition
CVE-2026-45258
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.50%
||
7 Day CHG~0.00%
Published-27 Jun, 2026 | 08:50
Updated-01 Jul, 2026 | 14:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Multiple vulnerabilities in the sound(4) mmap path

dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-190
Integer Overflow or Wraparound
CWE ID-CWE-681
Incorrect Conversion between Numeric Types
CWE ID-CWE-787
Out-of-bounds Write
CVE-2005-1036
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.38% / 29.69%
||
7 Day CHG~0.00%
Published-10 Apr, 2005 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain privileges.

Action-Not Available
Vendor-n/aFreeBSD FoundationAdvanced Micro Devices, Inc.
Product-freebsdamd64n/a
CWE ID-CWE-909
Missing Initialization of Resource
CVE-2026-39457
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.69%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 08:01
Updated-01 May, 2026 | 12:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stack overflow via select() file descriptor set overflow

When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-121
Stack-based Buffer Overflow
CVE-2020-10565
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.41% / 32.92%
||
7 Day CHG~0.00%
Published-14 Mar, 2020 | 00:53
Updated-04 Aug, 2024 | 11:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

grub2-bhyve, as used in FreeBSD bhyve before revision 525916 2020-02-12, does not validate the address provided as part of a memrw command (read_* or write_*) by a guest through a grub2.cfg file. This allows an untrusted guest to perform arbitrary read or write operations in the context of the grub-bhyve process, resulting in code execution as root on the host OS.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdn/a
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-1999-0022
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.50% / 38.87%
||
7 Day CHG~0.00%
Published-29 Sep, 1999 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Local user gains root privileges via buffer overflow in rdist, via expstr() function.

Action-Not Available
Vendor-bsdin/absdiHP Inc.IBM CorporationSilicon Graphics, Inc.FreeBSD FoundationSun Microsystems (Oracle Corporation)
Product-sunosirixsolarisbsd_osfreebsdhp-uxaixn/afreebsdbsd_ossolarissunoshp-uxaixirix
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-29627
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.75% / 50.42%
||
7 Day CHG~0.00%
Published-07 Apr, 2021 | 14:45
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13.0-RC4 before p0, and 12.2-RELEASE before p6, listening socket accept filters implementing the accf_create callback incorrectly freed a process supplied argument string. Additional operations on the socket can lead to a double free or use after free.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CWE ID-CWE-415
Double Free
CVE-2021-29631
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.29% / 20.37%
||
7 Day CHG~0.00%
Published-30 Aug, 2021 | 18:00
Updated-03 Aug, 2024 | 22:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before r370400, 11.4-STABLE before r370399, 13.0-RELEASE before p4, 12.2-RELEASE before p10, and 11.4-RELEASE before p13, certain VirtIO-based device models in bhyve failed to handle errors when fetching I/O descriptors. A malicious guest may cause the device model to operate on uninitialized I/O vectors leading to memory corruption, crashing of the bhyve process, and possibly arbitrary code execution in the bhyve process.

Action-Not Available
Vendor-n/aFreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-908
Use of Uninitialized Resource
CVE-2019-17388
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.57% / 43.01%
||
7 Day CHG~0.00%
Published-05 Dec, 2019 | 17:08
Updated-05 Aug, 2024 | 01:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Weak file permissions applied to the Aviatrix VPN Client through 2.2.10 installation directory on Windows and Linux allow a local attacker to execute arbitrary code by gaining elevated privileges through file modifications.

Action-Not Available
Vendor-n/aLinux Kernel Organization, IncAviatrix Systems, Inc.FreeBSD FoundationMicrosoft Corporation
Product-freebsdwindowsvpn_clientlinux_kerneln/a
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-24717
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.46% / 36.64%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 18:03
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777.

Action-Not Available
Vendor-openzfsn/aFreeBSD Foundation
Product-openzfsfreebsdn/a
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2020-24716
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.48% / 38.06%
||
7 Day CHG~0.00%
Published-27 Aug, 2020 | 18:03
Updated-04 Aug, 2024 | 15:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories.

Action-Not Available
Vendor-openzfsn/aFreeBSD Foundation
Product-openzfsfreebsdn/a
CWE ID-CWE-863
Incorrect Authorization
CVE-2019-5606
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.59% / 43.96%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:33
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r349806, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, code which handles close of a descriptor created by posix_openpt fails to undo a signal configuration. This causes an incorrect signal to be raised leading to a write after free of kernel memory allowing a malicious user to gain root privileges or escape a jail.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-416
Use After Free
CVE-2019-5603
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.62% / 45.50%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:16
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350263, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, system calls operating on file descriptors as part of mqueuefs did not properly release the reference allowing a malicious user to overflow the counter allowing access to files, directories, and sockets opened by processes owned by other users.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-404
Improper Resource Shutdown or Release
CVE-2019-5607
Matching Score-8
Assigner-FreeBSD
ShareView Details
Matching Score-8
Assigner-FreeBSD
CVSS Score-7.8||HIGH
EPSS-0.54% / 41.22%
||
7 Day CHG~0.00%
Published-26 Jul, 2019 | 00:28
Updated-04 Aug, 2024 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEASE-p8, 11.3-STABLE before r350223, 11.3-RELEASE before 11.3-RELEASE-p1, and 11.2-RELEASE before 11.2-RELEASE-p12, rights transmitted over a domain socket did not properly release a reference on transmission error allowing a malicious user to cause the reference counter to wrap, forcing a free event. This could allow a malicious local user to gain root privileges or escape from a jail.

Action-Not Available
Vendor-FreeBSD Foundation
Product-freebsdFreeBSD
CWE ID-CWE-404
Improper Resource Shutdown or Release
CWE ID-CWE-682
Incorrect Calculation
CVE-2024-44093
Matching Score-4
Assigner-Google Devices
ShareView Details
Matching Score-4
Assigner-Google Devices
CVSS Score-7.4||HIGH
EPSS-0.08% / 0.14%
||
7 Day CHG~0.00%
Published-13 Sep, 2024 | 20:28
Updated-18 Sep, 2024 | 13:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In ppmp_unprotect_buf of drm/code/drm_fw.c, there is a possible memory corruption due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-783
Operator Precedence Logic Error
CWE ID-CWE-787
Out-of-bounds Write
CVE-2024-34726
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.11% / 1.58%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:11
Updated-17 Dec, 2024 | 18:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In PVRSRV_MMap of pvr_bridge_k.c, there is a possible arbitrary code execution due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Imagination Technologies LimitedGoogle LLC
Product-androidAndroidpowervr-gpu
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-34720
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.4||HIGH
EPSS-0.11% / 1.45%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:11
Updated-17 Dec, 2024 | 18:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In com_android_internal_os_ZygoteCommandBuffer_nativeForkRepeatedly of com_android_internal_os_ZygoteCommandBuffer.cpp, there is a possible method to perform arbitrary code execution in any app zygote processes due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-34723
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 1.85%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:11
Updated-17 Dec, 2024 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In onTransact of ParcelableListBinder.java , there is a possible way to steal mAllowlistToken to launch an app from background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-34741
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.15% / 4.88%
||
7 Day CHG~0.00%
Published-15 Aug, 2024 | 21:56
Updated-17 Dec, 2024 | 17:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In setForceHideNonSystemOverlayWindowIfNeeded of WindowState.java, there is a possible way for message content to be visible on the screensaver while lock screen visibility settings are restricted by the user due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-269
Improper Privilege Management
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-31326
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.13% / 3.16%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:09
Updated-17 Dec, 2024 | 19:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In multiple locations, there is a possible way in which policy migration code will never be executed due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-31331
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.12% / 1.96%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:11
Updated-14 Mar, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In setMimeGroup of PackageManagerService.java, there is a possible way to hide the service from Settings due to a logic error in the code. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.

Action-Not Available
Vendor-Google LLC
Product-androidAndroidandroid
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2024-31335
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-8.4||HIGH
EPSS-0.12% / 2.33%
||
7 Day CHG~0.00%
Published-09 Jul, 2024 | 20:11
Updated-17 Dec, 2024 | 18:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In DevmemIntChangeSparse2 of devicemem_server.c, there is a possible arbitrary code execution due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.

Action-Not Available
Vendor-Imagination Technologies LimitedGoogle LLC
Product-androidAndroidpowervr-gpu
CWE ID-CWE-783
Operator Precedence Logic Error
CVE-2022-20477
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-4
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-7.8||HIGH
EPSS-0.14% / 3.93%
||
7 Day CHG~0.00%
Published-13 Dec, 2022 | 00:00
Updated-22 Apr, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In shouldHideNotification of KeyguardNotificationVisibilityProvider.kt, there is a possible way to show hidden notifications due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-241611867

Action-Not Available
Vendor-n/aGoogle LLC
Product-androidAndroid
CWE ID-CWE-783
Operator Precedence Logic Error
Details not found