FreeBSD execve() Flaw Enables Local Privilege Escalation — Topic | TechScan AI — Tech & AI News

FreeBSD execve() Flaw Enables Local Privilege Escalation

Multiple reports reveal a recurring vulnerability in FreeBSD’s execve() handling that allows local users to escalate privileges. The flaw, documented in separate advisories, arises from improper checks during process execution and credential handling, enabling attackers with local access to gain elevated rights. Vendors and administrators are urged to apply patches or mitigations promptly, audit systems for signs of exploitation, and limit local access where possible. The coordinated disclosures highlight the importance of timely kernel updates and stricter privilege separation to prevent similar execution-path weaknesses.

1.5

Rising

News Items

Articles

Sources

First Seen

2026-05-19 15:19:30

7-Day Trend

05-19

05-20

05-21

Source Breakdown

Zeli (2)Lobsters (1)HN (1)

Key Entities

zfs.kosetcred(2)(FreeBSD)kern_setcred_copyin_supp_groups(FreeBSD)CVE-2026-45250CVE-2026-45250

Why It Matters

Kernel flaws that let local users gain root undermine host security and trust boundaries; tech teams must treat such execve()/credential errors as high-risk for compromised systems and automation pipelines.

Latest Changes

CVE-2026-45250 identified as stack buffer overflow in setcred(2) affecting FreeBSD 14.x
Vulnerability traced to sizeof misuse on a double pointer in kern_setcred_copyin_supp_groups()
Multiple advisories and coordinated disclosures urge immediate patching and auditing

Timeline

2026-05-09 — FreeBSD advisory published describing local privilege escalation via execve()
2026-05-10 — Follow-up FreeBSD notice reiterates execve()-related local privilege escalation
2026-05-21 — FatGid reports stack buffer overflow in setcred(2) for FreeBSD 14.x linked to execve() issue
2026-05-21 — Second FatGid report details sizeof misuse in kern_setcred_copyin_supp_groups() causing CVE-2026-45250

What to Watch

Availability and deployment status of official FreeBSD patches for CVE-2026-45250
Evidence of exploitation or kernel panics indicating local LPE attempts on FreeBSD 14.x

Dossier last updated: 2026-05-21 14:27:15

Recent News (4)

FatGid: FreeBSD 14.x kernel local privilege escalation

A stack buffer overflow in FreeBSD 14.x’s new setcred(2) system call (CVE-2026-45250) allows any local unprivileged user to trigger kernel panic or full local privilege escalation (LPE). The root cause is a sizeof(*) typo in kern_setcred_copyin_supp_groups() that treats gid_t ** as a pointer size on LP64, causing an 8-byte-per-entry copy into a 4-byte-per-entry stack buffer. Working exploits yield root on amd64 GENERIC kernels both with and without SMAP/SMEP; the SMAP/SMEP-safe variant only requires zfs.ko. The bug was fixed on main in Nov 2025 but not backported to stable/14 or releng/14.4, leaving FreeBSD 14.4-RELEASE vulnerable; FreeBSD 15.0 still contains the typo but currently only panics.

19pts

ZeliWhyNotHugo1h ago

FatGid: FreeBSD 14.x kernel local privilege escalation

A stack buffer overflow in FreeBSD's setcred(2) syscall (CVE-2026-45250) allows local privilege escalation on FreeBSD 14.x by misusing sizeof on a double pointer in kern_setcred_copyin_supp_groups(). The bug (a sizeof(*groups) typo) causes an 8-byte-per-entry copy into a 4-byte-per-entry stack buffer, enabling unprivileged users to trigger kernel panic or full root shells. Researchers produced working LPE exploits for amd64 GENERIC kernels both with and without SMAP/SMEP; the SMAP/SMEP-safe variant requires zfs.ko loaded (common on systems with ZFS). The bug was fixed on main in November 2025 but not backported to stable/14 or releng/14.4, leaving FreeBSD 14.4-RELEASE vulnerable; FreeBSD 15.0 still panics but lacks a known LPE chain.

37pts

HNWhyNotHugo2h ago