FreeBSD
by FreeBSD
Source repositories
CVEs (510)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-15547 | 0.00 | — | 0.00 | Mar 9, 2026 | By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the… | |||
| CVE-2025-14769 | 0.00 | — | 0.01 | Mar 9, 2026 | In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Maliciously crafted packets sent… | |||
| CVE-2024-43102 | 0.00 | — | 0.01 | Sep 5, 2024 | Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code… | |||
| CVE-2024-32668 | 0.00 | — | 0.00 | Sep 5, 2024 | An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve… | |||
| CVE-2024-43110 | 0.00 | — | 0.00 | Sep 5, 2024 | The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically… | |||
| CVE-2024-42416 | 0.00 | — | 0.00 | Sep 5, 2024 | The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to… | |||
| CVE-2024-8178 | 0.00 | — | 0.01 | Sep 5, 2024 | The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve… | |||
| CVE-2024-45287 | 0.00 | — | 0.01 | Sep 5, 2024 | A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. | |||
| CVE-2024-6759 | 0.00 | — | 0.01 | Aug 11, 2024 | When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of… | |||
| CVE-2024-6760 | 0.00 | — | 0.01 | Aug 11, 2024 | A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents… | |||
| CVE-2024-29937 | 0.00 | — | 0.02 | Mar 21, 2024 | NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. | |||
| CVE-2022-23093 | 0.00 | — | 0.02 | Feb 15, 2024 | ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. … | |||
| CVE-2022-23092 | 0.00 | — | 0.01 | Feb 15, 2024 | The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a… | |||
| CVE-2022-23091 | 0.00 | — | 0.00 | Feb 15, 2024 | A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private… | |||
| CVE-2022-23090 | 0.00 | — | 0.00 | Feb 15, 2024 | The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF). | |||
| CVE-2022-23089 | 0.00 | — | 0.00 | Feb 15, 2024 | When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to… | |||
| CVE-2022-23088 | 0.00 | — | 0.04 | Feb 15, 2024 | The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory,… | |||
| CVE-2022-23087 | 0.00 | — | 0.00 | Feb 15, 2024 | The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an… | |||
| CVE-2022-23086 | 0.00 | — | 0.00 | Feb 15, 2024 | Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or… | |||
| CVE-2022-23085 | 0.00 | — | 0.00 | Feb 15, 2024 | A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail… |
- CVE-2025-15547Mar 9, 2026risk 0.00cvss —epss 0.00
By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the…
- CVE-2025-14769Mar 9, 2026risk 0.00cvss —epss 0.01
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Maliciously crafted packets sent…
- CVE-2024-43102Sep 5, 2024risk 0.00cvss —epss 0.01
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code…
- CVE-2024-32668Sep 5, 2024risk 0.00cvss —epss 0.00
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve…
- CVE-2024-43110Sep 5, 2024risk 0.00cvss —epss 0.00
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically…
- CVE-2024-42416Sep 5, 2024risk 0.00cvss —epss 0.00
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to…
- CVE-2024-8178Sep 5, 2024risk 0.00cvss —epss 0.01
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve…
- CVE-2024-45287Sep 5, 2024risk 0.00cvss —epss 0.01
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.
- CVE-2024-6759Aug 11, 2024risk 0.00cvss —epss 0.01
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of…
- CVE-2024-6760Aug 11, 2024risk 0.00cvss —epss 0.01
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents…
- CVE-2024-29937Mar 21, 2024risk 0.00cvss —epss 0.02
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.
- CVE-2022-23093Feb 15, 2024risk 0.00cvss —epss 0.02
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. …
- CVE-2022-23092Feb 15, 2024risk 0.00cvss —epss 0.01
The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a…
- CVE-2022-23091Feb 15, 2024risk 0.00cvss —epss 0.00
A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private…
- CVE-2022-23090Feb 15, 2024risk 0.00cvss —epss 0.00
The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF).
- CVE-2022-23089Feb 15, 2024risk 0.00cvss —epss 0.00
When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to…
- CVE-2022-23088Feb 15, 2024risk 0.00cvss —epss 0.04
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory,…
- CVE-2022-23087Feb 15, 2024risk 0.00cvss —epss 0.00
The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an…
- CVE-2022-23086Feb 15, 2024risk 0.00cvss —epss 0.00
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or…
- CVE-2022-23085Feb 15, 2024risk 0.00cvss —epss 0.00
A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail…
Page 11 of 26