Do Son 
TL;DR
FreeBSD has patched a kernel flaw, CVE-2026-45257, that hands local root to any unprivileged user. This FreeBSD kTLS vulnerability sits in the Kernel TLS receive path. Researchers published full technical details and a working proof-of-concept exploit the moment the advisory went live. As a result, the window to patch is right now.
Why it matters
The flaw delivers a reliable local privilege escalation. It needs no race condition and no exotic setup. Stock GENERIC kernel defaults are enough to trigger it. Therefore, any local shell, web-hosting container, or jail with default capabilities is exposed. The researcher compares it to Linux’s Dirty Pipe, and the comparison fits. The write reaches the file’s backing page through the kernel direct map. Consequently, it skips the normal filesystem layer entirely. It bypasses file permissions, read-only intent, and the chflags schg immutable flag. On UFS, the damage even persists to disk. Multi-tenant FreeBSD hosts face the most risk. The full disclosure hit the public oss-security mailing list on June 10, 2026.
How the attack works
The kTLS receive path decrypts each TLS record in place. It assumes the buffers holding incoming data are private and safe to overwrite. That assumption breaks for data queued with sendfile(2). sendfile builds file-backed buffers that point straight at the page cache. Send that data over a loopback connection, and a kernel guard remaps the buffers rather than copying them. The remapped buffer still references the original physical page.
Meanwhile, enabling kTLS on the receive side requires no privilege check. So an unprivileged user can switch it on and supply an AES-GCM key of their choosing. The in-place decrypt then runs against the page-cache page itself. Because the attacker controls the key, they control every plaintext byte written. The bytes land directly in the cached file. Overwriting a setuid root binary turns that write into a root shell. The published exploit finishes in roughly 1.5 seconds.
Why the kernel guards fail
FreeBSD ships three checks that should stop this. One copies small buffers to a safe location, but only below a size threshold. Another converts buffers on loopback, yet it remaps pages instead of copying bytes. The third never checks for file-backed pages at all. Each guard falls short here.
Affected versions
The vulnerable code first shipped in FreeBSD 13.0 in April 2021. This FreeBSD kTLS vulnerability affects releases 13.0 through 13.4, 14.0 through 14.2, and 15.0-RELEASE. FreeBSD 12.x and earlier are not affected. All direct-map architectures fall in scope, including amd64, arm64, and riscv.
Patch and mitigation
FreeBSD corrected the bug across all supported branches. The official FreeBSD-SA-26:26.ktls advisory lists the patches and upgrade commands. Apply the update and reboot as soon as you can. Cannot patch right away? Two sysctl workarounds buy time. Setting kern.ipc.mb_use_ext_pgs=0 disables the EXTPG sendfile fast path. Setting kern.ipc.tls.enable=0 turns kTLS off completely. Either choice closes the hole until you upgrade.
No in-the-wild exploitation has been confirmed so far. Still, the public proof-of-concept code sharply lowers the bar for attackers. The researcher’s tongue-in-cheek disclosure site walks through the flaw in detail. Patch cadence matters most on appliances, firewalls, and storage systems built on FreeBSD. Treat this one as urgent.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
