FreeBSD
by FreeBSD
Source repositories
CVEs (510)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-45250 | Hig | 0.51 | 7.8 | 0.00 | May 21, 2026 | The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied… | ||
| CVE-2026-39457 | Hig | 0.51 | 7.8 | 0.00 | Apr 30, 2026 | When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application… | ||
| CVE-2026-7270 | Hig | 0.51 | 7.8 | 0.00 | Apr 30, 2026 | An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges. | ||
| CVE-2017-1087 | Hig | 0.51 | 7.8 | 0.00 | Nov 16, 2017 | In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24 named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. As a result, a… | ||
| CVE-2015-5675 | Hig | 0.51 | 7.8 | 0.01 | Oct 10, 2017 | The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic). | ||
| CVE-2016-1889 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2017 | Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor. | ||
| CVE-2016-1883 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2017 | The issetugid system call in the Linux compatibility layer in FreeBSD 9.3, 10.1, and 10.2 allows local users to gain privilege via unspecified vectors. | ||
| CVE-2016-1881 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2017 | The kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to cause a denial of service (crash) or potentially gain privilege via a crafted Linux compatibility layer setgroups system call. | ||
| CVE-2016-1880 | Hig | 0.51 | 7.8 | 0.00 | Feb 15, 2017 | The Linux compatibility layer in the kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to read portions of kernel memory and potentially gain privilege via unspecified vectors, related to "handling of Linux futex robust lists." | ||
| CVE-2006-6165 | Hig | 0.51 | 7.8 | 0.00 | Nov 29, 2006 | ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which allows local users to gain privileges by passing certain environment variables to loading processes. NOTE: this issue has been disputed by a third party,… | ||
| CVE-2005-1036 | Hig | 0.51 | 7.8 | 0.00 | May 2, 2005 | FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain… | ||
| CVE-1999-0022 | Hig | 0.51 | 7.8 | 0.01 | Jul 3, 1996 | Local user gains root privileges via buffer overflow in rdist, via expstr() function. | ||
| CVE-2026-4747 | Hig | 0.50 | 8.8 | 0.02 | Mar 26, 2026 | Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. … | ||
| CVE-2004-0079 | Hig | 0.50 | 7.5 | 0.10 | Nov 23, 2004 | The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. | ||
| CVE-2026-7164 | Hig | 0.49 | 7.5 | 0.00 | Apr 30, 2026 | Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process… | ||
| CVE-2026-4748 | Hig | 0.49 | 7.5 | 0.00 | Apr 1, 2026 | A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed… | ||
| CVE-2026-4652 | Hig | 0.49 | 7.5 | 0.00 | Mar 26, 2026 | On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on… | ||
| CVE-2024-51564 | Hig | 0.49 | 7.5 | 0.00 | Nov 12, 2024 | A guest can trigger an infinite loop in the hda audio driver. | ||
| CVE-2024-45289 | Hig | 0.49 | 7.5 | 0.00 | Nov 12, 2024 | The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option. Fetch would still connect… | ||
| CVE-2017-1083 | Hig | 0.49 | 7.5 | 0.01 | Sep 12, 2018 | In FreeBSD before 11.2-RELEASE, a stack guard-page is available but is disabled by default. This results in the possibility a poorly written process could be cause a stack overflow. |
- risk 0.51cvss 7.8epss 0.00
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied…
- risk 0.51cvss 7.8epss 0.00
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application…
- risk 0.51cvss 7.8epss 0.00
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.
- risk 0.51cvss 7.8epss 0.00
In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24 named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. As a result, a…
- risk 0.51cvss 7.8epss 0.01
The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic).
- risk 0.51cvss 7.8epss 0.00
Integer overflow in the bhyve hypervisor in FreeBSD 10.1, 10.2, 10.3, and 11.0 when configured with a large amount of guest memory, allows local users to gain privilege via a crafted device descriptor.
- risk 0.51cvss 7.8epss 0.00
The issetugid system call in the Linux compatibility layer in FreeBSD 9.3, 10.1, and 10.2 allows local users to gain privilege via unspecified vectors.
- risk 0.51cvss 7.8epss 0.00
The kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to cause a denial of service (crash) or potentially gain privilege via a crafted Linux compatibility layer setgroups system call.
- risk 0.51cvss 7.8epss 0.00
The Linux compatibility layer in the kernel in FreeBSD 9.3, 10.1, and 10.2 allows local users to read portions of kernel memory and potentially gain privilege via unspecified vectors, related to "handling of Linux futex robust lists."
- risk 0.51cvss 7.8epss 0.00
ld.so in FreeBSD, NetBSD, and possibly other BSD distributions does not remove certain harmful environment variables, which allows local users to gain privileges by passing certain environment variables to loading processes. NOTE: this issue has been disputed by a third party,…
- risk 0.51cvss 7.8epss 0.00
FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain…
- risk 0.51cvss 7.8epss 0.01
Local user gains root privileges via buffer overflow in rdist, via expstr() function.
- risk 0.50cvss 8.8epss 0.02
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. …
- risk 0.50cvss 7.5epss 0.10
The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.
- risk 0.49cvss 7.5epss 0.00
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process…
- risk 0.49cvss 7.5epss 0.00
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed…
- risk 0.49cvss 7.5epss 0.00
On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on…
- risk 0.49cvss 7.5epss 0.00
A guest can trigger an infinite loop in the hda audio driver.
- risk 0.49cvss 7.5epss 0.00
The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. The environment variable name used by fetch(1) to pass the filename to the library was incorrect, in effect ignoring the option. Fetch would still connect…
- risk 0.49cvss 7.5epss 0.01
In FreeBSD before 11.2-RELEASE, a stack guard-page is available but is disabled by default. This results in the possibility a poorly written process could be cause a stack overflow.
Page 2 of 26