VYPR

Vendor CVEs

FreeBSD

All CVEs

558 total · sorted by risk
  • CVE-1999-0052HigNov 4, 1998
    risk 0.49cvss 7.5epss 0.02

    IP fragmentation denial of service in FreeBSD allows a remote attacker to cause a crash.

  • CVE-2026-45253HigMay 21, 2026
    risk 0.48cvss 8.4epss 0.00

    ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. …

  • CVE-2026-5398HigApr 22, 2026
    risk 0.48cvss 8.4epss 0.00

    The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious…

  • CVE-2026-42511HigApr 30, 2026
    risk 0.46cvss 8.1epss 0.00

    The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the…

  • CVE-2018-6924HigSep 12, 2018
    risk 0.46cvss 7.1epss 0.00

    In FreeBSD before 11.1-STABLE, 11.2-RELEASE-p3, 11.1-RELEASE-p14, 10.4-STABLE, and 10.4-RELEASE-p12, insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory.

  • CVE-2008-5162HigNov 26, 2008
    risk 0.46cvss 7.0epss 0.00

    The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM…

  • CVE-2015-1418HigFeb 5, 2018
    risk 0.44cvss 7.8epss 0.04

    The do_ed_script function in pch.c in GNU patch through 2.7.6, and patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before 10.2-BETA2-p3, 10.2-RC1 before 10.2-RC1-p2, and 0.2-RC2 before 10.2-RC2-p1, allows remote attackers to execute arbitrary commands via a crafted patch…

  • CVE-2015-1416HigFeb 5, 2018
    risk 0.44cvss 7.8epss 0.04

    Larry Wall's patch; patch in FreeBSD 10.2-RC1 before 10.2-RC1-p1, 10.2 before 10.2-BETA2-p2, and 10.1 before 10.1-RELEASE-p16; Bitrig; GNU patch before 2.2.5; and possibly other patch variants allow remote attackers to execute arbitrary shell commands via a crafted patch file.

  • CVE-2017-13086MedOct 17, 2017
    risk 0.44cvss 6.8epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

  • CVE-2017-13084MedOct 17, 2017
    risk 0.44cvss 6.8epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Station-To-Station-Link (STSL) Transient Key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

  • CVE-2017-13077MedOct 17, 2017
    risk 0.44cvss 6.8epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the four-way handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

  • CVE-2015-7973MedJan 30, 2017
    risk 0.43cvss 6.5epss 0.03

    NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.

  • CVE-2016-1885MedApr 12, 2016
    risk 0.43cvss 6.2epss 0.01

    Integer signedness error in the amd64_set_ldt function in sys/amd64/amd64/sys_machdep.c in FreeBSD 9.3 before p39, 10.1 before p31, and 10.2 before p14 allows local users to cause a denial of service (kernel panic) via an i386_set_ldt system call, which triggers a heap-based…

  • CVE-2026-45255HigMay 21, 2026
    risk 0.42cvss 7.5epss 0.00

    When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to…

  • CVE-2026-45254MedMay 21, 2026
    risk 0.42cvss 6.5epss 0.00

    In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "allow any" instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could…

  • CVE-2026-4247HigMar 26, 2026
    risk 0.42cvss 7.5epss 0.01

    When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection,…

  • CVE-2025-0374MedJan 30, 2025
    risk 0.42cvss 6.5epss 0.00

    When etcupdate encounters conflicts while merging files, it saves a version containing conflict markers in /var/db/etcupdate/conflicts. This version does not preserve the mode of the input file, and is world-readable. This applies to files that would normally have restricted…

  • CVE-2024-51566MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The NVMe driver queue processing is vulernable to guest-induced infinite loops.

  • CVE-2024-51565MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The hda driver is vulnerable to a buffer over-read from a guest-controlled value.

  • CVE-2024-51563MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition.

  • CVE-2024-51562MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value.

  • CVE-2015-5674MedFeb 5, 2018
    risk 0.42cvss 6.5epss 0.03

    The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 before 10.2-RC2-p1, 10.2-RC1 before 10.2-RC1-p2, 10.2 before 10.2-BETA2-p3, and 10.1 before 10.1-RELEASE-p17 allows remote authenticated users to cause a denial of service (assertion failure and daemon exit) via a…

  • CVE-2024-6640MedAug 12, 2024
    risk 0.41cvss 6.3epss 0.00

    In ICMPv6 Neighbor Discovery (ND), the ID is always 0. When pf is configured to allow ND and block incoming Echo Requests, a crafted Echo Request packet after a Neighbor Solicitation (NS) can trigger an Echo Reply. The packet has to come from the same host as the NS and have a…

  • CVE-2025-0373MedJan 30, 2025
    risk 0.39cvss 6.0epss 0.00

    On 64-bit systems, the implementation of VOP_VPTOFH() in the cd9660, tarfs and ext2fs filesystems overflows the destination FID buffer by 4 bytes, a stack buffer overflow. A NFS server that exports a cd9660, tarfs, or ext2fs file system can be made to panic by mounting and…

  • CVE-2023-48795MedDec 18, 2023
    risk 0.39cvss 5.9epss 0.93

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently…

  • CVE-2015-7977MedJan 30, 2017
    risk 0.39cvss 5.9epss 0.06

    ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.

  • CVE-2026-45252MedMay 21, 2026
    risk 0.36cvss 5.5epss 0.00

    When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. …

  • CVE-2018-6925MedSep 28, 2018
    risk 0.36cvss 5.5epss 0.00

    In FreeBSD before 11.2-STABLE(r338986), 11.2-RELEASE-p4, 11.1-RELEASE-p15, 10.4-STABLE(r338985), and 10.4-RELEASE-p13, due to improper maintenance of IPv6 protocol control block flags through various failure paths, an unprivileged authenticated local user may be able to cause a…

  • CVE-2018-17155MedSep 28, 2018
    risk 0.36cvss 5.5epss 0.00

    In FreeBSD before 11.2-STABLE(r338983), 11.2-RELEASE-p4, 11.1-RELEASE-p15, 10.4-STABLE(r338984), and 10.4-RELEASE-p13, due to insufficient initialization of memory copied to userland in the getcontext and swapcontext system calls, small amounts of kernel memory may be disclosed…

  • CVE-2018-17154MedSep 28, 2018
    risk 0.36cvss 5.5epss 0.00

    In FreeBSD before 11.2-STABLE(r338987), 11.2-RELEASE-p4, and 11.1-RELEASE-p15, due to insufficient memory checking in the freebsd4_getfsstat system call, a NULL pointer dereference can occur. Unprivileged authenticated local users may be able to cause a denial of service.

  • CVE-2018-6921MedMay 8, 2018
    risk 0.36cvss 5.5epss 0.00

    In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to insufficient initialization of memory copied to userland in the network subsystem, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to…

  • CVE-2018-6920MedMay 8, 2018
    risk 0.36cvss 5.5epss 0.00

    In FreeBSD before 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE(r332321), and 10.4-RELEASE-p9, due to insufficient initialization of memory copied to userland in the Linux subsystem and Atheros wireless driver, small amounts of kernel memory may be disclosed to userland…

  • CVE-2015-5677MedFeb 7, 2017
    risk 0.36cvss 5.5epss 0.01

    bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable permissions on the snmpd.config file, which allows local users to obtain the secret key for USM authentication by reading the file.

  • CVE-2016-2518MedJan 30, 2017
    risk 0.36cvss 5.3epss 0.15

    The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.

  • CVE-2005-0109MedMar 5, 2005
    risk 0.36cvss 5.6epss 0.01

    Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as…

  • CVE-2002-1915MedDec 31, 2002
    risk 0.36cvss 5.5epss 0.00

    tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file.

  • CVE-1999-0783MedJun 16, 1998
    risk 0.36cvss 5.5epss 0.01

    FreeBSD allows local users to conduct a denial of service by creating a hard link from a device special file to a file on an NFS file system.

  • CVE-2025-24934MedOct 22, 2025
    risk 0.35cvss 5.4epss 0.00

    Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the…

  • CVE-2018-6922MedAug 9, 2018
    risk 0.35cvss 5.3epss 0.03

    One of the data structures that holds TCP segments in all versions of FreeBSD prior to 11.2-RELEASE-p1, 11.1-RELEASE-p12, and 10.4-RELEASE-p10 uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the…

  • CVE-2017-13088MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points…

  • CVE-2017-13087MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients.

  • CVE-2017-13081MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.

  • CVE-2017-13080MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

  • CVE-2017-13079MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.

  • CVE-2017-13078MedOct 17, 2017
    risk 0.35cvss 5.3epss 0.02

    Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.

  • CVE-2006-0054MedJan 11, 2006
    risk 0.35cvss 5.3epss 0.03

    The ipfw firewall in FreeBSD 6.0-RELEASE allows remote attackers to cause a denial of service (firewall crash) via ICMP IP fragments that match a reset, reject or unreach action, which leads to an access of an uninitialized pointer.

  • CVE-2024-39281MedNov 12, 2024
    risk 0.34cvss 5.3epss 0.00

    The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator.

  • CVE-2026-6386MedApr 22, 2026
    risk 0.33cvss 6.2epss 0.00

    In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3)…

  • CVE-2025-0662MedJan 30, 2025
    risk 0.32cvss 4.9epss 0.00

    In some cases, the ktrace facility will log the contents of kernel structures to userspace. In one such case, ktrace dumps a variable-sized sockaddr to userspace. There, the full sockaddr is copied, even when it is shorter than the full size. This can result in up to 14…

  • CVE-2017-1088LowNov 16, 2017
    risk 0.21cvss 3.3epss 0.00

    In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24, the kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on…

Page 2 of 12