VYPR

Vendor CVEs

FreeBSD

All CVEs

558 total · sorted by risk
  • CVE-2010-4755Mar 2, 2011
    risk 0.01cvss epss 0.08

    The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory…

  • CVE-2008-0122Jan 16, 2008
    risk 0.01cvss epss 0.12

    Off-by-one error in the inet_network function in libbind in ISC BIND 9.4.2 and earlier, as used in libc in FreeBSD 6.2 through 7.0-PRERELEASE, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted input that…

  • CVE-2007-3641Jul 14, 2007
    risk 0.01cvss epss 0.07

    archive_read_support_format_tar.c in libarchive before 2.2.4 does not properly compute the length of a certain buffer when processing a malformed pax extension header, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary…

  • CVE-2006-4304Aug 24, 2006
    risk 0.01cvss epss 0.11

    Buffer overflow in the sppp driver in FreeBSD 4.11 through 6.1, NetBSD 2.0 through 4.0 beta before 20060823, and OpenBSD 3.8 and 3.9 before 20060902 allows remote attackers to cause a denial of service (panic), obtain sensitive information, and possibly execute arbitrary code…

  • CVE-2006-0381Jan 25, 2006
    risk 0.01cvss epss 0.06

    A logic error in the IP fragment cache functionality in pf in FreeBSD 5.3, 5.4, and 6.0, and OpenBSD, when a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule is being used, allows remote attackers to cause a denial of service (crash) via crafted packets that cause a…

  • CVE-2005-0469May 2, 2005
    risk 0.01cvss epss 0.09

    Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.

  • CVE-2004-0112Nov 23, 2004
    risk 0.01cvss epss 0.10

    The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake…

  • CVE-2004-0081Nov 23, 2004
    risk 0.01cvss epss 0.07

    OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.

  • CVE-2003-0028Mar 25, 2003
    risk 0.01cvss epss 0.15

    Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in…

  • CVE-2002-1219Nov 29, 2002
    risk 0.01cvss epss 0.12

    Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).

  • CVE-2002-1221Nov 29, 2002
    risk 0.01cvss epss 0.08

    BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.

  • CVE-2001-0670Oct 3, 2001
    risk 0.01cvss epss 0.07

    Buffer overflow in BSD line printer daemon (in.lpd or lpd) in various BSD-based operating systems allows remote attackers to execute arbitrary code via an incomplete print job followed by a request to display the printer queue.

  • CVE-1999-0057Nov 16, 1998
    risk 0.01cvss epss 0.08

    Vacation program allows command execution by remote users through a sendmail command.

  • CVE-1999-0074Jul 1, 1997
    risk 0.01cvss epss 0.08

    Listening TCP ports are sequentially allocated, allowing spoofing attacks.

  • CVE-2026-3038Mar 9, 2026
    risk 0.00cvss epss 0.00

    The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not…

  • CVE-2026-2261Mar 9, 2026
    risk 0.00cvss epss 0.00

    Due to a programming error, blocklistd leaks a socket descriptor for each adverse event report it receives. Once a certain number of leaked sockets is reached, blocklistd becomes unable to run the helper script: a child process is forked, but this child dereferences a null…

  • CVE-2025-15576Mar 9, 2026
    risk 0.00cvss epss 0.00

    If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has…

  • CVE-2025-15547Mar 9, 2026
    risk 0.00cvss epss 0.00

    By default, jailed processes cannot mount filesystems, including nullfs(4). However, the allow.mount.nullfs option enables mounting nullfs filesystems, subject to privilege checks. If a privileged user within a jail is able to nullfs-mount directories, a limitation of the…

  • CVE-2025-14769Mar 9, 2026
    risk 0.00cvss epss 0.01

    In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Maliciously crafted packets sent…

  • CVE-2024-43102Sep 5, 2024
    risk 0.00cvss epss 0.01

    Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code…

  • CVE-2024-32668Sep 5, 2024
    risk 0.00cvss epss 0.00

    An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve…

  • CVE-2024-43110Sep 5, 2024
    risk 0.00cvss epss 0.00

    The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically…

  • CVE-2024-42416Sep 5, 2024
    risk 0.00cvss epss 0.00

    The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to…

  • CVE-2024-8178Sep 5, 2024
    risk 0.00cvss epss 0.01

    The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve…

  • CVE-2024-45287Sep 5, 2024
    risk 0.00cvss epss 0.01

    A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.

  • CVE-2024-6759Aug 11, 2024
    risk 0.00cvss epss 0.01

    When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of…

  • CVE-2024-6760Aug 11, 2024
    risk 0.00cvss epss 0.01

    A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents…

  • CVE-2024-29937Mar 21, 2024
    risk 0.00cvss epss 0.02

    NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.

  • CVE-2022-23093Feb 15, 2024
    risk 0.00cvss epss 0.02

    ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. …

  • CVE-2022-23092Feb 15, 2024
    risk 0.00cvss epss 0.01

    The implementation of lib9p's handling of RWALK messages was missing a bounds check needed when unpacking the message contents. The missing check means that the receipt of a specially crafted message will cause lib9p to overwrite unrelated memory. The bug can be triggered by a…

  • CVE-2022-23091Feb 15, 2024
    risk 0.00cvss epss 0.00

    A particular case of memory sharing is mishandled in the virtual memory system. This is very similar to SA-21:08.vm, but with a different root cause. An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private…

  • CVE-2022-23090Feb 15, 2024
    risk 0.00cvss epss 0.00

    The aio_aqueue function, used by the lio_listio system call, fails to release a reference to a credential in an error case. An attacker may cause the reference count to overflow, leading to a use after free (UAF).

  • CVE-2022-23089Feb 15, 2024
    risk 0.00cvss epss 0.00

    When dumping core and saving process information, proc_getargv() might return an sbuf which have a sbuf_len() of 0 or -1, which is not properly handled. An out-of-bound read can happen when user constructs a specially crafted ps_string, which in turn can cause the kernel to…

  • CVE-2022-23088Feb 15, 2024
    risk 0.00cvss epss 0.04

    The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer. While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory,…

  • CVE-2022-23087Feb 15, 2024
    risk 0.00cvss epss 0.00

    The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an…

  • CVE-2022-23086Feb 15, 2024
    risk 0.00cvss epss 0.00

    Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or…

  • CVE-2022-23085Feb 15, 2024
    risk 0.00cvss epss 0.00

    A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail…

  • CVE-2022-23084Feb 15, 2024
    risk 0.00cvss epss 0.00

    The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process…

  • CVE-2024-25941Feb 15, 2024
    risk 0.00cvss epss 0.00

    The jail(2) system call has not limited a visiblity of allocated TTYs (the kern.ttys sysctl). This gives rise to an information leak about processes outside the current jail. Attacker can get information about TTYs allocated on the host or in other jails. Effectively, the…

  • CVE-2024-25940Feb 15, 2024
    risk 0.00cvss epss 0.01

    `bhyveload -h ` may be used to grant loader access to the directory tree on the host. Affected versions of bhyveload(8) do not make any attempt to restrict loader's access to , allowing the loader to read any file the host user has access…

  • CVE-2023-6660Dec 13, 2023
    risk 0.00cvss epss 0.01

    When a program running on an affected system appends data to a file via an NFS client mount, the bug can cause the NFS client to fail to copy in the data to be written but proceed as though the copy operation had succeeded. This means that the data to be written is instead…

  • CVE-2023-6534Dec 13, 2023
    risk 0.00cvss epss 0.01

    In versions of FreeBSD 14.0-RELEASE before 14-RELEASE-p2, FreeBSD 13.2-RELEASE before 13.2-RELEASE-p7 and FreeBSD 12.4-RELEASE before 12.4-RELEASE-p9, the pf(4) packet filter incorrectly validates TCP sequence numbers.  This could allow a malicious actor to execute a…

  • CVE-2023-5978Nov 8, 2023
    risk 0.00cvss epss 0.01

    In versions of FreeBSD 13-RELEASE before 13-RELEASE-p5, under certain circumstances the cap_net libcasper(3) service incorrectly validates that updated constraints are strictly subsets of the active constraints.  When only a list of resolvable domain names was specified…

  • CVE-2023-5941Nov 8, 2023
    risk 0.00cvss epss 0.01

    In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5 the __sflush() stdio function in libc does not correctly update FILE objects' write space members for write-buffered streams when the write(2) system call returns an…

  • CVE-2023-5370Oct 4, 2023
    risk 0.00cvss epss 0.00

    On CPU 0 the check for the SMCCC workaround is called before SMCCC support has been initialized. This resulted in no speculative execution workarounds being installed on CPU 0.

  • CVE-2023-5369Oct 4, 2023
    risk 0.00cvss epss 0.00

    Before correction, the copy_file_range system call checked only for the CAP_READ and CAP_WRITE capabilities on the input and output file descriptors, respectively. Using an offset is logically equivalent to seeking, and the system call must additionally require the CAP_SEEK…

  • CVE-2023-5368Oct 4, 2023
    risk 0.00cvss epss 0.01

    On an msdosfs filesystem, the 'truncate' or 'ftruncate' system calls under certain circumstances populate the additional space in the file with unallocated data from the underlying disk device, rather than zero bytes. This may permit a user with write access to files on a…

  • CVE-2023-4809Sep 6, 2023
    risk 0.00cvss epss 0.01

    In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate…

  • CVE-2023-3494Aug 1, 2023
    risk 0.00cvss epss 0.00

    The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer…

  • CVE-2023-3107Aug 1, 2023
    risk 0.00cvss epss 0.01

    A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.

Page 5 of 12