Local privilege escalation via execve()
Source: Hacker News
FreeBSD-SA-26:13.exec – Security Advisory
Topic: Local privilege escalation via execve()
Category: core
Module: execve(2)
Announced: 2026‑04‑29
Credits: Ryan of Calif.io
Affects: All supported versions of FreeBSD.
Corrected: 2026‑04‑29 (see table below)
CVE: CVE‑2026‑7270
I. Background
execve(2) is the system call used to launch an executable image, including scripts prefixed with a path to the interpreter. The call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image.
II. Problem Description
An operator‑precedence bug in the kernel results in a scenario where a buffer overflow allows attacker‑controlled data to overwrite adjacent execve(2) argument buffers.
III. Impact
The bug may be exploitable by an unprivileged user to obtain superuser privileges.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or release/security branch (releng) dated after the correction date, and reboot the system.
1. Update systems installed from base system packages
Applicable to FreeBSD 15.0‑RELEASE on amd64 or arm64 platforms installed via base packages:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"2. Update systems installed from binary distribution sets
Applicable to FreeBSD RELEASE on amd64, arm64, or i386 (FreeBSD 13) platforms that were not installed using base packages:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"3. Update via a source‑code patch
The following patches have been verified for the applicable FreeBSD release branches.
a) Download and verify the patch
# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch
# fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc
# gpg --verify exec.patch.ascb) Apply the patch
# cd /usr/src
# patch To determine the commit count in a working tree (for comparison against the numbers above):
# git rev-list --count --first-parent HEADVII. References
The latest revision of this advisory is available at the FreeBSD security advisory site.