TL;DR
On June 30, 2026, the FreeBSD Project shipped three advisories covering FreeBSD privilege escalation bugs in the kernel. Each flaw lets an unprivileged local user aim for root, and two open a path to full control. No workaround exists, so patching is the only fix.
Why It Matters
FreeBSD powers storage appliances, firewalls, and cloud hosts, so a local root bug carries real weight. Two of the three flaws affect every supported release. The third hits FreeBSD 15.0 and later. Notably, a Tsinghua University team found the jail bug with help from an AI model, GLM-5.1. Meanwhile, Synacktiv reported the execve race, and a researcher known as slidybat reported the memory bug. So far, none of the advisories report exploitation in the wild, and no public proof-of-concept has surfaced.
How the Attacks Work
All three FreeBSD privilege escalation bugs share one trait: they need only local access, not network reach. Each abuses a low-level kernel routine that an ordinary user can call. The three mechanisms differ, yet each ends in memory the attacker should not control. The advisories describe the flaws at a high level and omit working exploit code.
Device pager use-after-free (CVE-2026-49418)
The first flaw sits in the virtual memory subsystem. When a program calls msync with MS_INVALIDATE on a device mapping, the affected pages stay in the pager list. A later fault then re-inserts a page and corrupts that list. As a result, the kernel frees the same page twice, a classic use-after-free.
Jail reference count underflow (CVE-2026-49419)
The jail bug appears when a caller uses a jail descriptor. Here the kernel drops a reference to the current prison too early. If the descriptor lookup then fails, the error path releases that same reference again. Consequently, the prison structure can be freed while code still uses it. On the host, that usually triggers a panic, but inside a jail it may lift privileges.
execve TOCTOU race (CVE-2026-49415)
The third issue is a timing race during execve of a SUID binary. The kernel installs the new address space before it raises the process credentials. During that short window, a same-user process can edit the target memory through procfs. Therefore, an attacker can hijack the binary just before its privileges rise.
Affected Versions
CVE-2026-49418 and CVE-2026-49415 affect all supported FreeBSD versions. By contrast, CVE-2026-49419 affects only FreeBSD 15.0 and later, because jail descriptors arrived in that release. The fixes landed across the stable/14, stable/15, and releng branches on June 30, 2026.
Patch and Mitigation
Upgrade now, since no workaround exists for these FreeBSD privilege escalation bugs. Base-package systems can run pkg upgrade -r FreeBSD-base, while release systems can use freebsd-update fetch and freebsd-update install. Source users can apply the signed patches instead. After the update, reboot to load the corrected kernel. For version details and patch links, check the official FreeBSD security advisories page.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.