7.8

CVE-2026-45257

Arbitrary file overwrite via the KTLS receive path

The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify.  This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs.  When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged.  Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.

An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive.  The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk.  By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FreebsdFreebsd Version14.3 Update-
FreebsdFreebsd Version14.3 Updatep1
FreebsdFreebsd Version14.3 Updatep10
FreebsdFreebsd Version14.3 Updatep11
FreebsdFreebsd Version14.3 Updatep12
FreebsdFreebsd Version14.3 Updatep13
FreebsdFreebsd Version14.3 Updatep14
FreebsdFreebsd Version14.3 Updatep2
FreebsdFreebsd Version14.3 Updatep3
FreebsdFreebsd Version14.3 Updatep4
FreebsdFreebsd Version14.3 Updatep5
FreebsdFreebsd Version14.3 Updatep6
FreebsdFreebsd Version14.3 Updatep7
FreebsdFreebsd Version14.3 Updatep8
FreebsdFreebsd Version14.3 Updatep9
FreebsdFreebsd Version14.4 Update-
FreebsdFreebsd Version14.4 Updatep1
FreebsdFreebsd Version14.4 Updatep2
FreebsdFreebsd Version14.4 Updatep3
FreebsdFreebsd Version14.4 Updatep4
FreebsdFreebsd Version14.4 Updatep5
FreebsdFreebsd Version14.4 Updaterc1
FreebsdFreebsd Version15.0 Update-
FreebsdFreebsd Version15.0 Updatep1
FreebsdFreebsd Version15.0 Updatep2
FreebsdFreebsd Version15.0 Updatep3
FreebsdFreebsd Version15.0 Updatep4
FreebsdFreebsd Version15.0 Updatep5
FreebsdFreebsd Version15.0 Updatep6
FreebsdFreebsd Version15.0 Updatep7
FreebsdFreebsd Version15.0 Updatep8
FreebsdFreebsd Version15.0 Updatep9
FreebsdFreebsd Version15.1 Updaterc2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.15% 0.049
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-123 Write-what-where Condition

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

https://security.freebsd.org/advisories/FreeBSD-SA-26:26.ktls.asc
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/06/10/20
Third Party Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/06/10/21
Third Party Advisory
Mailing List
https://www.heise.de/en/news/FreeBSD-Privilege-Escalation-Vulnerability-with-Tongue-in-Cheek-Codename-11329109.html
Third Party Advisory