SecurityHome.eu FreeBSD Security Advisory FreeBSD-SA-26:39.execve

Home / mailings PDF

FreeBSD Security Advisory FreeBSD-SA-26:39.execve
Posted on 30 June 2026
FreeBSD security notificat
=============================================================================FreeBSD-SA-26:39.execve Security Advisory
The FreeBSD Project

Topic: Local privilege escalation via execve(2) TOCTOU race

Category: core
Module: execve
Announced: 2026-06-30
Credits: Synacktiv
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-26 22:20:44 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:21:55 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:22 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-28 00:30:18 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:20:55 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:28 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-49415

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

The execve(2) system call replaces the calling process's image with a
new executable. When the target binary is set-user-ID (SUID), the
kernel installs a new virtual address space containing the binary's
code and data, then changes the process credentials to those of the
file owner.

II. Problem Description

During execve(2) of a SUID binary, the new virtual address space is
installed before the process credentials are updated. During this
window, a process running as the same user can access the target
process's memory via procfs or linprocfs, because the kernel's
debugging permission check still saw the original credentials.

III. Impact

An unprivileged local user can exploit this race to modify the
address space of a SUID binary before its credentials are elevated,
potentially gaining full control of the affected system.

IV. Workaround

No workaround is available.

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch.asc
# gpg --verify execve-15.patch.asc

[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch.asc
# gpg --verify execve-14.4.patch.asc

[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch.asc
# gpg --verify execve-14.3.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch -E -p0 < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ a80e40ce9ee0 stable/15-n284141
releng/15.1/ 46f7b5a64048 releng/15.1-n283567
releng/15.0/ de7144f7c391 releng/15.0-n281069
stable/14/ bb1154f3ea20 stable/14-n274435
releng/14.4/ 8fbbc185a3ff releng/14.4-n273729
releng/14.3/ 6772a8ece2c0 releng/14.3-n271529
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-49415>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:39.execve.asc>

TOP

Mailings :

Last 20

Exploits :

Last 20