CVE-2014-3880
Description
In FreeBSD kernels before patches, execve/fexecve could destroy VM address space before all threads terminate, leading to a triple-fault and system reboot DoS via crafted system call.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In FreeBSD kernels before patches, execve/fexecve could destroy VM address space before all threads terminate, leading to a triple-fault and system reboot DoS via crafted system call.
Vulnerability
The execve and fexecve system calls in FreeBSD kernel versions 8.4 before p11, 9.1 before p14, 9.2 before p7, and 10.0 before p4 allow a local user to cause a denial of service. The vulnerability occurs because the kernel can destroy the virtual memory address space and mappings before all threads in a process have terminated. When a threaded process executes a new program, the VM subsystem may take an optimization path that removes usermode mappings without fully destroying the address space, but if the process is still in an inconsistent state (e.g., other threads still running), this can lead to an invalid page table pointer dereference, resulting in a triple-fault and system reboot [1].
Exploitation
An attacker must have local access to the system and the ability to create and execute a crafted system call from a threaded process. Specifically, the attacker needs to invoke execve or fexecve in a process where threads are still active. The exploit does not require special privileges; any user who can run code can trigger the condition. The exact sequence involves calling execve or fexecve from a process created with rfork or similar that shares address space, such that the kernel's optimization path is taken while threads remain. This triggers the premature destruction of the address space [1].
Impact
Successful exploitation results in a denial of service: the system suffers a triple-fault and crashes with a system reboot. The vulnerability does not allow privilege escalation or data corruption; it only causes a kernel panic that requires a reboot. The attack can be used by any local user to crash the machine, disrupting services.
Mitigation
FreeBSD released patches on 2014-06-03 for all affected stable branches. The corrected versions are: stable/10 and 10.0-RELEASE-p4, stable/9 and 9.2-RELEASE-p7 (and 9.1-RELEASE-p14), stable/8 and 8.4-RELEASE-p11 [1]. System administrators should update their FreeBSD systems to the latest patched version available. There is no workaround other than applying the patch, as the fix addresses the race condition in the VM subsystem. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
5cpe:2.3:o:freebsd:freebsd:10.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:freebsd:freebsd:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:9.1:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:9.2:-:*:*:*:*:*:*
- (no CPE)range: 8.4 before p11, 9.1 before p14, 9.2 before p7, 10.0 before p4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.