From nobody Wed May 20 22:23:36 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLQzs0cl7z6fXD6 for ; Wed, 20 May 2026 22:23:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLQzr5nRLz4M4y; Wed, 20 May 2026 22:23:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315816; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4cXwYz3lvUZa9gUk3NYjNr5SDcXuUNm6hsF/MSDb1b4=; b=eFGdoSf4p4UiuMUPCSu4w58o9xCdqy1fLJBIxQ1x97HV2l3jI6CTtwf5/OAQMFAPPp2mt8 DhEdk6/B6+563GeB/V0dp9l3sRiRzcRcDTw6I/Zu577cxn0jCPd9aNXpoopcIzBVEFxIdV tOsGxXLLO02MuoS4VbRk9RuRL3uCEFKmHj+5CgAR38Je41FNsc4quJt63R6kSLZxwVsWki 6so1PyDjfQW4f81OwiAM4aL58yrPUl1K+8KjTTVp+GV8gxgA4bOYtyJPNAMW5qEaNtTOKa IRkgMg8lA/QJ9frU/bbh/e/o5FizDy07LxkrYSrhMmB1+33HKx1PuWzkoVqO3Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315816; a=rsa-sha256; cv=none; b=o7QjLhQM8AFDN4wKd3DsRSkA+Mld0ZYNkNnx25I2A5HkOU3evycdY8pHPs5ntHNPg3oXYQ +3A5DCR3RnZzZfvmdrYoPgrQ40QtrWAO+JS173+du3WrtMpo5juCZlaf6URN+XDZot9D96 dYkTPT0QZrm4beceTQr9+51Rbpe5HYNiBizU2PR2BkINdKssOG5DdI72JyW4vmGECskVB+ RWDgv7ntlgdeXpCemh7N4br3wa0mkACwZSqcxXTFj+mYUyZCNBQtc2QWMacfPP2mbg6pKZ dl2AiWbIzqNYIFEHtqqgh7OBNl45suc6iuZYhZmRTylNBUfs06RigxKxNPZfuw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315816; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4cXwYz3lvUZa9gUk3NYjNr5SDcXuUNm6hsF/MSDb1b4=; b=tYkGEGJbxesImqZqWudsst9M28h0X41bdZJNwUD4Szkq8DdVZUbIv0sOASngcQO7amaitn 1zAmKfuGHhjlQyD0sTPIQbvJ5LjgD6C0zhN5Szj4CL3GJmvWs9TxFi2oNIC+m2HsFilCXk QDlnVvREM9QR9eQqqu+Zm6i00+55+iX6CvYpCj31b9mxYBTbXwbQbN3maRuvlEYrvjBpRs E0AA4ZAJyzEXS9cHfYwczxdoNDPkju0qGYGttkZRk9CiVINN8CJ6pSVuugcIVeK/r/qr8n 0S2yzNKbdlvAFRAouEhJDvnEYlDaYCNRUsDCyJGGbdTpGgcWLq5yLBnA+ZHkuQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id B3A779C43; Wed, 20 May 2026 22:23:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:18.setcred Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222336.B3A779C43@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:36 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:18.setcred Security Advisory The FreeBSD Project Topic: Stack buffer overflow via setcred(2) Category: core Module: setcred Announced: 2026-05-20 Credits: Ryan of Calif.io Credits: Przemyslaw Frasunek Affects: All supported versions of FreeBSD. Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45250 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background System calls are the programmatic interface through which user-space processes request services from the operating system kernel, providing a controlled boundary between unprivileged application code and privileged kernel operations. setcred(2) is a system call which enables a privileged process to atomically set its full credential set, including the real, effective, and saved user and group identifiers, as well as the list of supplementary groups. It is intended for use by programs such as login(1) and PAM(3)-aware authentication frameworks that must transition a process into a target user context in a single, race-free operation, replacing the need for multiple discrete calls to setuid(2), setgid(2), and setgroups(2). II. Problem Description The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. III. Impact Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc # gpg --verify setcred-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc # gpg --verify setcred-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b6cba9028457 stable/15-n281743 releng/15.0/ d98c0a494a42 releng/15.0-n281038 stable/14/ 8eb0bbbd2e46 stable/14-n274162 releng/14.4/ 34da5845b8d4 releng/14.4-n273702 releng/14.3/ bfff5c180193 releng/14.3-n271502 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ 2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV 2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86 VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4 wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ olNjUPjprNwteRkUuGHmE3zQ =6aG+ -----END PGP SIGNATURE-----