-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:39.execve Security Advisory The FreeBSD Project Topic: Local privilege escalation via execve(2) TOCTOU race Category: core Module: execve Announced: 2026-06-30 Credits: Synacktiv Affects: All supported versions of FreeBSD. Corrected: 2026-06-26 22:20:44 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:55 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:22 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-28 00:30:18 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:55 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:28 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The execve(2) system call replaces the calling process's image with a new executable. When the target binary is set-user-ID (SUID), the kernel installs a new virtual address space containing the binary's code and data, then changes the process credentials to those of the file owner. II. Problem Description During execve(2) of a SUID binary, the new virtual address space is installed before the process credentials are updated. During this window, a process running as the same user can access the target process's memory via procfs or linprocfs, because the kernel's debugging permission check still saw the original credentials. III. Impact An unprivileged local user can exploit this race to modify the address space of a SUID binary before its credentials are elevated, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch.asc # gpg --verify execve-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch.asc # gpg --verify execve-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch.asc # gpg --verify execve-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a80e40ce9ee0 stable/15-n284141 releng/15.1/ 46f7b5a64048 releng/15.1-n283567 releng/15.0/ de7144f7c391 releng/15.0-n281069 stable/14/ bb1154f3ea20 stable/14-n274435 releng/14.4/ 8fbbc185a3ff releng/14.4-n273729 releng/14.3/ 6772a8ece2c0 releng/14.3-n271529 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvI88QAI5z9LuCV46PtN5Nxw7f wv6davrwFt1N/q+hXVXKR0LNU7Q7nB5okGi0ipcjSqIC/9OaTMl9BsT7dA3yxeZi D1SN0kdrUyTsCNy2jMR/jd21uUMpcMHJYeUEzp9SNtiMwEEWYXNgsr5mX3sqG7/Z W6RJ5xBXfG0rePsXQ2wRkYsEZzK+sJJWSgPmxqRu+ruQYollVTExjOZfSm7l1ipq GS150pQ3kw5XNv2+fTnTxphJCXXvB9ZQRYb0ks4D3E/+r/bmY+OZmdnhGzCh6gEh Es4FmUAAWFbTtu355GcwOR+wy5AG1BxDVL+0D/8mM2EhbKBM5In54Q6JteMl7JeT DL1kt9nGOG5KXOZmcJdL5vsFg6vbdDvTGD1ufgcddesp6qD5JYh00Gg/2zQTxLjj EHIc0Oked/eIwObSKypbSYICGQRLC8QdeisdoDgmbWHAxc1OBJY/o+T6emcsDbT8 qpl3e9CNcGTRAznrrfHS3WJatIHcvLPInxKleXUbXAwcI5IzOWDGuBgOg/GeSdsz ybPU1NMsT+vqOQ67O7ENjJo/djXxyTQI/ExUR9nFrKZL/ma3EP4G+xyD+1pFW+Pk HCm1RbMayr75ck7Wb6rjbc6fgPIK/djz1f2rzYMFipt8U1qiiAN552AQ6/mFMjGS Dp8iGjzGu60Hf9IaLXxTOcYV =HivV -----END PGP SIGNATURE-----