CVE-2026-45257

Published Jun 26, 2026

Last updated 2 hours ago

CVSS high 7.8

Overview

Description: The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Source: secteam@freebsd.org
NVD status: Analyzed
Products: freebsd

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

secteam@freebsd.org: CWE-123

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*",
            "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*",
            "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*",
            "matchCriteriaId": "7296F5AA-F8C1-4277-A4EE-C2B24073A320",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*",
            "matchCriteriaId": "C30E4A9C-0594-4F40-92B3-26CB9AA85AE9",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*",
            "matchCriteriaId": "9F83F91B-587A-433C-99DB-0D63E267FF16",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*",
            "matchCriteriaId": "44B9C2FC-756E-459F-8E68-C2C2B8C258AC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p14:*:*:*:*:*:*",
            "matchCriteriaId": "A11526CF-505E-47DF-8388-65CB216D2022",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*",
            "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*",
            "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*",
            "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*",
            "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*",
            "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*",
            "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*",
            "matchCriteriaId": "DC8A75D0-148A-427A-9783-45477EABED21",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*",
            "matchCriteriaId": "F5D39FC9-6DBA-46C8-BB80-A6188E6A8527",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*",
            "matchCriteriaId": "8F3856BE-666F-4FA1-A6AD-FE179CEBF1E4",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*",
            "matchCriteriaId": "D9CC0037-3282-42C3-80D8-F6C1D43B9332",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*",
            "matchCriteriaId": "1EADA828-3C20-43C0-A0CA-3AC7D7F23DBD",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*",
            "matchCriteriaId": "53D73FD2-4B06-47D3-BA2A-4363E9DE3565",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*",
            "matchCriteriaId": "D726890B-E679-43A9-A211-D5C05BBE3941",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:p5:*:*:*:*:*:*",
            "matchCriteriaId": "CBE94635-5277-4050-8098-F062091F6596",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*",
            "matchCriteriaId": "0342A715-E211-4AF6-97ED-32EB9EBB947D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*",
            "matchCriteriaId": "368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*",
            "matchCriteriaId": "AA4AAA57-70A7-4717-ACF2-A253E757FF2C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*",
            "matchCriteriaId": "E24ABFA6-4D12-4DE5-832B-438502C7D188",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*",
            "matchCriteriaId": "C1C9869C-494B-4628-9AA3-4AA5B989C377",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*",
            "matchCriteriaId": "002AA2FE-C7BA-471A-9434-0E56A878ACBF",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*",
            "matchCriteriaId": "B187670D-E3A2-4A0D-A653-982F8B447E78",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*",
            "matchCriteriaId": "047E7EE9-FB51-4CF2-A8BE-484BFD819565",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p7:*:*:*:*:*:*",
            "matchCriteriaId": "2C9768AE-9954-4B2A-9525-D7D4942406E7",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p8:*:*:*:*:*:*",
            "matchCriteriaId": "F8B9EF55-3755-452A-B067-043803099B22",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p9:*:*:*:*:*:*",
            "matchCriteriaId": "EE3C4F40-A117-4B37-8CDD-096A1A763630",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:freebsd:freebsd:15.1:rc2:*:*:*:*:*:*",
            "matchCriteriaId": "BF16D01F-95EC-4FE3-B32D-135CB82E8391",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References