Multiple Privilege Escalation Vulnerabilities in FreeBSD (CVE-2026-45257, CVE-2026-49413)

CERT-FR has issued an advisory regarding multiple privilege escalation vulnerabilities discovered in FreeBSD. These vulnerabilities, identified as CVE-2026-45257 and CVE-2026-49413, affect various versions across FreeBSD branches 14 and 15. CVE-2026-45257 involves an out-of-bounds write in the rt_ktls_init_key and rt_ktls_set_key functions within the kernel's network routing code, while CVE-2026-49413 allows a local attacker to map arbitrary physical memory pages via the Linux compatibility layer. Successful exploitation grants a local, unprivileged attacker root privileges on the compromised system, enabling them to bypass security controls, exfiltrate data, or establish persistence. It is crucial for defenders to patch affected systems immediately to prevent unauthorized access and system compromise.

Attack Chain

1. Initial Access: A local unprivileged attacker gains or already possesses user-level access to a vulnerable FreeBSD system.
2. Vulnerability Trigger (CVE-2026-45257): The attacker executes a specially crafted program that interacts with the kernel's routing table, specifically targeting the rt_ktls_init_key or rt_ktls_set_key functions to trigger an out-of-bounds write.
3. Vulnerability Trigger (CVE-2026-49413): The attacker utilizes the Linux compatibility layer to perform malformed memory mapping operations, allowing them to map arbitrary physical memory pages into their process address space.
4. Kernel Primitive Acquisition: Successful exploitation of either vulnerability provides the attacker with a powerful kernel primitive, such as arbitrary kernel memory read/write capabilities or kernel code execution.
5. Privilege Escalation: The attacker leverages the kernel primitive to modify their process's credentials, effectively elevating their user ID (UID) and effective user ID (EUID) to 0 (root).
6. Root Shell / Arbitrary Command Execution: With root privileges, the attacker typically spawns a root shell (e.g., /bin/sh) or executes arbitrary commands as the root user.
7. Post-Exploitation Activity: The attacker proceeds with actions such as disabling security measures, installing backdoors, exfiltrating sensitive data, or deploying additional malicious payloads.

Impact

The successful exploitation of these privilege escalation vulnerabilities allows a local attacker to gain full control over the affected FreeBSD system. This can lead to complete system compromise, enabling the attacker to access, modify, or delete any data, install malware, create new privileged user accounts, or completely disable the system. For organizations, this translates to severe data breaches, disruption of critical services, and potential regulatory non-compliance. While specific victim counts are not provided, any unpatched FreeBSD system is at risk.

Recommendation

• Immediately apply the security updates provided by FreeBSD for the affected versions mentioned in the FreeBSD security advisories CVE-2026-45257 and CVE-2026-49413.
• Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect post-exploitation activity.
• Enable comprehensive process_creation and file_event logging on FreeBSD systems to allow for detection of suspicious activity by the provided Sigma rules.
• Review access controls and ensure that only trusted users have local access to FreeBSD systems, reducing the attack surface for local privilege escalation.