From nobody Wed Apr 29 18:46:09 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R8d3yZPz6bftj for ; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R8d15HDz3LfZ; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=MlGkUhtgtnKKZ/3z9bK/p4nh08sMqpITZbZQtCE50owjRUfQbdkNBdLT2xiyaFJGvzfjy2 0WsZLsHNXUSfhnDkSZbMGqz/niK6K3DL/KMyr50kJkRLswdSjqnuEdoL/1CnnkkYz7Nwr2 xiNLtEHs+WCQlMRNEwqihixoP9BJVz/mWtDDUINkYXnYqDXNDAtvdSvqhU9p06PQPM261y DlaH9jP9vEpv7XtA1riSa8FHZEEjCEWQsv5WUP/RAfXvhZwXoqH5iicnezTF6zBXrpp8ML TrvNAnlS4MQBNoo0xrQ2er2Ox6MMgER0mHxxhnds6AtA6yf8DjizNiL+MLqKOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488369; a=rsa-sha256; cv=none; b=KDS181STMrdfxy51CK7eTx8sQzNv59ctXbKGPoNKU/5OKxuVIdeUfnwnyACYlyZwgdV4or n4a/8OjB5F1TOXhmP4a/FGOq5dsk8XOCoXtY+aRF4OljmtZliDXJP6y80GiabtfMxRTadz sH8aAF9d1aY9LF39NenIUXLJTZIWV1z7MnoHzBiCSYOJcnwzuDmedISiYMSWp/WotuWJ1m wOrnak7oW/pNC/0/sJswc8HD2UjfMQc+zj4gn5rXupkm4QjdaH+3J922jD4P+u0JW0Hpg4 3c71pKGJ+UiHmeZq1xjpNBgekWGkpxjNQapM3Llm9cGrM8thoyYFZtK87FLm2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=rdYW5bX71h2faxI3hvTbDhiFE4+9uWbVNyowe/4njGK/XPrH2BzTMB/HvVEssRMI9y7oun leY9Uan6Bv1jF1QMSiKmBXdMBip0J4qs3/RuG0k29scWnifaKJEN9bRSex3xDGj4H3uEAX o8QkyGjhijR7EACs29JYWC54Nk+eBzDA3scseGL/L/p4mTB6k6dq/MTWU4MraSSDlCQGz6 qEaMrV0TtZaOcbuI2YsT4hSHyGDMRuir5tTt2IT7cHQ/3XZ2EHJ1hGkCsTFIsE8e7MHHN6 TBnel5i0PyK7V+PfZC6v9ENZNhoQ3TpaHlg6WXH+3aebN8+HV0riLs7szTl5Zw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 164C499AC; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:13.exec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184609.164C499AC@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:46:09 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:13.exec Security Advisory The FreeBSD Project Topic: Local privilege escalation via execve() Category: core Module: execve(2) Announced: 2026-04-29 Credits: Ryan of Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:27 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:49 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:40 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:21 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:05 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:17 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-7270 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background execve(2) is a system call is used to launch an executable image, including scripts prefixed with a path to the interpreter. The system call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image. II. Problem Description An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. III. Impact The bug may be exploitable by an unprivileged user to obtain superuser privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc # gpg --verify exec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ c3e943e78e06 stable/15-n283376 releng/15.0/ 934b48683c4f releng/15.0-n281028 stable/14/ ae00a52921ca stable/14-n274075 releng/14.4/ 943aa64ba91a releng/14.4-n273690 releng/14.3/ f04c40607b8f releng/14.3-n271491 stable/13/ d619e3a3c0ec stable/13-n259858 releng/13.5/ 7c5c37ac8f8f releng/13.5-n259214 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnyTiobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVDoP/2CASXfMizRLg2uhf7ab Rq2AlXil/b3uDA316fV30LeAEc1X16VVRwuZbOPd8oovXnpt6ACj26Yg+4IsPyU9 ZEMNcm5tA0eEqicFrrVBNxyA41QMwB1S36+tyzoZ3CTWndTAu/5yVLb0VWoniW9S cvf8xULDWBVI48DUKuJ86Bh5aUPNMy2bCMaQc5V88aK5Cc4CG2ZWJu3pJa4+MWq2 CBXgOA3k3qqTIQ5imrRl+9RFYe5WAEnAYNWRauXmQKeJA41bDseUB/Bghy6KY3y+ uuIelphX3pz36cRQd83CIs6IjH0TQ0slizGsmdQ8jVDEbK+kWzSegOo90E8hepQg p929lZbUhpg98G2Fv7cLQ1W7+39dqrqcJubXb0xUcvBp6b9uEUJigRaYJJjxFBUc wtR6sTMqZeyQE/EDubgKMepaY7BWe8K/kDRFzPuGf3LSxZUFtXdsXHixOz6GUBjT oRgtF/QyPIDBlxzWriBI7hbY/4vcQ/XQ7/Q4+x5Q28CNsmw9dmqrolCel8Tvaqmy eFbbIDl+tQn+GolIs9xudzTx4lu1DGYrONoK7Gpb83UxQahkeUEryqhUJApxBskk 3Yt8nG0wWP2U8rZ8JbrWAFNIZU4/j6t+FcFctuh1bnyd88bSuQgEMbcGZ40AP9nS LBz716wDKXX8EOoJT6jjwZ7u =VIf8 -----END PGP SIGNATURE-----