-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:13.exec                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Local privilege escalation via execve()

Category:       core
Module:         execve(2)
Announced:      2026-04-29
Credits:        Ryan of Calif.io
Affects:        All supported versions of FreeBSD.
Corrected:      2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE)
                2026-04-29 14:48:27 UTC (releng/15.0, 15.0-RELEASE-p7)
                2026-04-29 14:48:49 UTC (stable/14, 14.4-STABLE)
                2026-04-29 14:49:40 UTC (releng/14.4, 14.4-RELEASE-p3)
                2026-04-29 14:49:21 UTC (releng/14.3, 14.3-RELEASE-p12)
                2026-04-29 14:50:05 UTC (stable/13, 13.5-STABLE)
                2026-04-29 14:50:17 UTC (releng/13.5, 13.5-RELEASE-p13)
CVE Name:       CVE-2026-7270

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

execve(2) is a system call is used to launch an executable image, including
scripts prefixed with a path to the interpreter.  The system call takes a
path to the image as a parameter, followed by extra arguments and environment
variables to be passed to the new image.

II.  Problem Description

An operator precedence bug in the kernel results in a scenario where a buffer
overflow causes attacker-controlled data to overwrite adjacent execve(2)
argument buffers.

III. Impact

The bug may be exploitable by an unprivileged user to obtain superuser
privileges.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch
# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc
# gpg --verify exec.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              c3e943e78e06    stable/15-n283376
releng/15.0/                            934b48683c4f  releng/15.0-n281028
stable/14/                              ae00a52921ca    stable/14-n274075
releng/14.4/                            943aa64ba91a  releng/14.4-n273690
releng/14.3/                            f04c40607b8f  releng/14.3-n271491
stable/13/                              d619e3a3c0ec    stable/13-n259858
releng/13.5/                            7c5c37ac8f8f  releng/13.5-n259214
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-7270>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:13.exec.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnyTiobFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVDoP/2CASXfMizRLg2uhf7ab
Rq2AlXil/b3uDA316fV30LeAEc1X16VVRwuZbOPd8oovXnpt6ACj26Yg+4IsPyU9
ZEMNcm5tA0eEqicFrrVBNxyA41QMwB1S36+tyzoZ3CTWndTAu/5yVLb0VWoniW9S
cvf8xULDWBVI48DUKuJ86Bh5aUPNMy2bCMaQc5V88aK5Cc4CG2ZWJu3pJa4+MWq2
CBXgOA3k3qqTIQ5imrRl+9RFYe5WAEnAYNWRauXmQKeJA41bDseUB/Bghy6KY3y+
uuIelphX3pz36cRQd83CIs6IjH0TQ0slizGsmdQ8jVDEbK+kWzSegOo90E8hepQg
p929lZbUhpg98G2Fv7cLQ1W7+39dqrqcJubXb0xUcvBp6b9uEUJigRaYJJjxFBUc
wtR6sTMqZeyQE/EDubgKMepaY7BWe8K/kDRFzPuGf3LSxZUFtXdsXHixOz6GUBjT
oRgtF/QyPIDBlxzWriBI7hbY/4vcQ/XQ7/Q4+x5Q28CNsmw9dmqrolCel8Tvaqmy
eFbbIDl+tQn+GolIs9xudzTx4lu1DGYrONoK7Gpb83UxQahkeUEryqhUJApxBskk
3Yt8nG0wWP2U8rZ8JbrWAFNIZU4/j6t+FcFctuh1bnyd88bSuQgEMbcGZ40AP9nS
LBz716wDKXX8EOoJT6jjwZ7u
=VIf8
-----END PGP SIGNATURE-----