FreeBSD: Local Privilege Escalation via Execve()
Source: Hacker News
FreeBSD-SA-26:13.exec – Security Advisory
Topic: Local privilege escalation via execve()
Category: core
Module: execve(2)
Announced: 2026‑04‑29
Credits: Ryan of Calif.io
Affects: All supported versions of FreeBSD
Corrected: 2026‑04‑29 (see details below)
CVE: CVE‑2026‑7270
Background
execve(2) is the system call used to launch an executable image, including scripts prefixed with a path to the interpreter. The call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image.
Problem Description
An operator‑precedence bug in the kernel can cause a buffer overflow, allowing attacker‑controlled data to overwrite adjacent execve(2) argument buffers.
Impact
The bug may be exploitable by an unprivileged user to obtain superuser privileges.
Workaround
No workaround is available.
Solution
Upgrade the vulnerable system to a supported FreeBSD stable or release/security branch (releng) dated after the correction date, and reboot the system.
1. Update systems installed from base system packages
For FreeBSD 15.0‑RELEASE on amd64 or arm64 installed via base packages:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"2. Update systems installed from binary distribution sets
For FreeBSD RELEASE on amd64, arm64, or i386 (FreeBSD 13) that were not installed using base packages:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"3. Update via a source‑code patch
Download and verify the patch:
# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch
# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc
# gpg --verify exec.patch.ascApply the patch as root:
# cd /usr/src
# patch To determine the commit count in a working tree (for comparison against the table above):
# git rev-list --count --first-parent HEADReferences
The latest revision of this advisory is available at the FreeBSD security advisory page.