{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/freebsd-branch-15.0-versions-prior-to-15.0-n281057/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FreeBSD branch 14 versions prior to 14-n274315","FreeBSD branch 14.3 versions prior to 14.3-n271519","FreeBSD branch 14.4 versions prior to 14.4-n273719","FreeBSD branch 15 versions prior to 15-n283886","FreeBSD branch 15.0 versions prior to 15.0-n281057","FreeBSD branch 15.1 versions prior to 15.1-n283555"],"_cs_severities":["high"],"_cs_tags":["freebsd","vulnerability","privilege-escalation","local-privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["FreeBSD"],"content_html":"\u003cp\u003eCERT-FR has issued an advisory regarding multiple privilege escalation vulnerabilities discovered in FreeBSD. These vulnerabilities, identified as CVE-2026-45257 and CVE-2026-49413, affect various versions across FreeBSD branches 14 and 15. CVE-2026-45257 involves an out-of-bounds write in the \u003ccode\u003ert_ktls_init_key\u003c/code\u003e and \u003ccode\u003ert_ktls_set_key\u003c/code\u003e functions within the kernel's network routing code, while CVE-2026-49413 allows a local attacker to map arbitrary physical memory pages via the Linux compatibility layer. Successful exploitation grants a local, unprivileged attacker root privileges on the compromised system, enabling them to bypass security controls, exfiltrate data, or establish persistence. It is crucial for defenders to patch affected systems immediately to prevent unauthorized access and system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A local unprivileged attacker gains or already possesses user-level access to a vulnerable FreeBSD system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger (CVE-2026-45257)\u003c/strong\u003e: The attacker executes a specially crafted program that interacts with the kernel's routing table, specifically targeting the \u003ccode\u003ert_ktls_init_key\u003c/code\u003e or \u003ccode\u003ert_ktls_set_key\u003c/code\u003e functions to trigger an out-of-bounds write.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger (CVE-2026-49413)\u003c/strong\u003e: The attacker utilizes the Linux compatibility layer to perform malformed memory mapping operations, allowing them to map arbitrary physical memory pages into their process address space.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKernel Primitive Acquisition\u003c/strong\u003e: Successful exploitation of either vulnerability provides the attacker with a powerful kernel primitive, such as arbitrary kernel memory read/write capabilities or kernel code execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation\u003c/strong\u003e: The attacker leverages the kernel primitive to modify their process's credentials, effectively elevating their user ID (UID) and effective user ID (EUID) to \u003ccode\u003e0\u003c/code\u003e (root).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRoot Shell / Arbitrary Command Execution\u003c/strong\u003e: With root privileges, the attacker typically spawns a root shell (e.g., \u003ccode\u003e/bin/sh\u003c/code\u003e) or executes arbitrary commands as the \u003ccode\u003eroot\u003c/code\u003e user.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation Activity\u003c/strong\u003e: The attacker proceeds with actions such as disabling security measures, installing backdoors, exfiltrating sensitive data, or deploying additional malicious payloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of these privilege escalation vulnerabilities allows a local attacker to gain full control over the affected FreeBSD system. This can lead to complete system compromise, enabling the attacker to access, modify, or delete any data, install malware, create new privileged user accounts, or completely disable the system. For organizations, this translates to severe data breaches, disruption of critical services, and potential regulatory non-compliance. While specific victim counts are not provided, any unpatched FreeBSD system is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the security updates provided by FreeBSD for the affected versions mentioned in the FreeBSD security advisories CVE-2026-45257 and CVE-2026-49413.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003efile_event\u003c/code\u003e logging on FreeBSD systems to allow for detection of suspicious activity by the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eReview access controls and ensure that only trusted users have local access to FreeBSD systems, reducing the attack surface for local privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-14T09:13:46Z","date_published":"2026-06-14T09:13:46Z","id":"https://feed.craftedsignal.io/briefs/2026-06-freebsd-lpe/","summary":"Multiple vulnerabilities, including CVE-2026-45257 (kernel out-of-bounds write) and CVE-2026-49413 (Linux compatibility layer memory mapping), exist in FreeBSD branches 14 and 15, allowing a local unprivileged attacker to achieve privilege escalation.","title":"Multiple Privilege Escalation Vulnerabilities in FreeBSD (CVE-2026-45257, CVE-2026-49413)","url":"https://feed.craftedsignal.io/briefs/2026-06-freebsd-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed - FreeBSD Branch 15.0 Versions Prior to 15.0-N281057","version":"https://jsonfeed.org/version/1.1"}