Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-45257
PUBLISHED
More InfoOfficial Page
Assigner-freebsd
Assigner Org ID-63664ac6-956c-4cba-a5d0-f46076e16109
View Known Exploited Vulnerability (KEV) details
Published At-26 Jun, 2026 | 14:50
Updated At-27 Jun, 2026 | 03:55
Rejected At-
▼CVE Numbering Authority (CNA)
Arbitrary file overwrite via the KTLS receive path

The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.

Affected Products
Vendor
FreeBSD FoundationFreeBSD
Product
FreeBSD
Modules
  • ktls
Default Status
unknown
Versions
Affected
  • From 15.0-RELEASE before p10 (release)
  • From 14.4-RELEASE before p6 (release)
  • From 14.3-RELEASE before p15 (release)
Problem Types
TypeCWE IDDescription
CWECWE-123CWE-123 Write-what-where Condition
Type: CWE
CWE ID: CWE-123
Description: CWE-123 Write-what-where Condition
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Bumsrakete
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc
vendor-advisory
Hyperlink: https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/06/10/20
N/A
http://www.openwall.com/lists/oss-security/2026/06/10/21
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/10/20
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/10/21
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html
third-party-advisory
exploit
Hyperlink: https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html
Resource:
third-party-advisory
exploit
Details not found