CVE-2026-49413 Overview
CVE-2026-49413 is a local privilege escalation vulnerability in the FreeBSD Linuxulator, the Linux binary compatibility layer. The Linuxulator determines whether a binary is set-user-ID (SUID) or set-group-ID (SGID) by checking the P_SUGID process flag. During execve(2), this flag has not yet been set when the auxiliary vector is constructed. As a result, AT_SECURE is incorrectly set to zero for SUID and SGID executables. An unprivileged local user can abuse this flaw by injecting a shared library through LD_PRELOAD into a SUID or SGID Linux binary, gaining the privileges of that binary.
Critical Impact
Local attackers can escalate privileges to root by preloading arbitrary shared libraries into SUID Linux binaries executed under the FreeBSD Linuxulator.
Affected Products
- FreeBSD 14.3 (all patch levels through p14)
- FreeBSD 14.4 (all patch levels through p5)
- FreeBSD 15.0 (all patch levels through p9)
Discovery Timeline
- 2026-06-27 - CVE-2026-49413 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-49413
Vulnerability Analysis
The FreeBSD Linuxulator provides binary compatibility for Linux ELF executables running on FreeBSD. When executing a Linux binary, the kernel constructs an auxiliary vector (auxv) that is passed to the loader in the target process's address space. One critical entry, AT_SECURE, informs the dynamic linker whether the process is running with elevated privileges. When AT_SECURE equals 1, ld.so disables dangerous features such as LD_PRELOAD and LD_LIBRARY_PATH for untrusted paths.
The vulnerability is classified under [CWE-266] Incorrect Privilege Assignment. Exploitation requires local access with low privileges and no user interaction. Successful exploitation grants the attacker the privileges of the targeted SUID or SGID binary, which is frequently root.
Root Cause
The Linuxulator relies on the P_SUGID process flag to determine SUID or SGID status. During execve(2), the auxiliary vector is populated before P_SUGID is set on the new process image. The check returns false, so AT_SECURE is written as zero even when the binary carries the setuid or setgid bit. The dynamic loader then treats the process as unprivileged and honors attacker-controlled environment variables.
Attack Vector
An unprivileged local user sets LD_PRELOAD to point to a malicious shared object. The user then executes a Linux SUID or SGID binary under the Linuxulator. Because AT_SECURE is zero, ld.so loads the attacker's library into the privileged process, executing arbitrary code with the binary's effective UID or GID. See the FreeBSD Security Advisory SA-26:30 for authoritative technical details.
Detection Methods for CVE-2026-49413
Indicators of Compromise
- Execution of Linux ELF SUID or SGID binaries with LD_PRELOAD, LD_LIBRARY_PATH, or LD_AUDIT environment variables set by an unprivileged user.
- Unexpected shared library loads from world-writable directories such as /tmp or /var/tmp into privileged Linuxulator processes.
- Creation of new SUID root shells or unexplained privilege transitions originating from Linux-compat binary execution.
Detection Strategies
- Audit process execution telemetry for Linux-compat binaries invoked with LD_* environment variables under non-root UIDs.
- Monitor for mmap and open calls loading .so files from non-standard paths inside Linuxulator process trees.
- Correlate execution of SUID Linux binaries with subsequent shell spawns or UID transitions to root.
Monitoring Recommendations
- Enable FreeBSD audit framework rules for execve events targeting /compat/linux paths and record environment variables.
- Alert on any dynamic loader activity in privileged processes referencing user-writable directories.
- Baseline expected Linuxulator SUID binary invocations and flag deviations for investigation.
How to Mitigate CVE-2026-49413
Immediate Actions Required
- Apply the FreeBSD security patches referenced in advisory SA-26:30 to all affected 14.3, 14.4, and 15.0 systems.
- Inventory all Linux ELF binaries under /compat/linux and remove the setuid or setgid bits from any that are not strictly required.
- Restrict local shell access on hosts that run the Linuxulator to reduce local attack surface.
Patch Information
FreeBSD has released fixes as documented in the FreeBSD Security Advisory SA-26:30. Administrators should update to the latest supported patch level for their release branch and reboot to ensure the corrected Linuxulator kernel module is loaded. Verify remediation by inspecting AT_SECURE propagation for Linux SUID binaries after patching.
Workarounds
- Unload the linux and linux64 kernel modules with kldunload linux64 linux on systems that do not require Linux binary compatibility.
- Clear the setuid and setgid bits on Linux binaries under /compat/linux using chmod u-s,g-s where feasible.
- Restrict execution of the Linuxulator to trusted users through mandatory access control policies or jail configurations.
# Configuration example: disable Linuxulator until patched
service linux stop
kldunload linux64
kldunload linux
sysrc linux_enable="NO"
# Remove SUID/SGID bits from Linux-compat binaries
find /compat/linux -type f \( -perm -4000 -o -perm -2000 \) -exec chmod u-s,g-s {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

