Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49416

CVE-2026-49416: FreeBSD Privilege Escalation Vulnerability

CVE-2026-49416 is a privilege escalation flaw in FreeBSD caused by an integer overflow in the CONS_HISTORY ioctl handler. Local users can exploit this to gain elevated privileges. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-49416 Overview

CVE-2026-49416 is a kernel-level integer overflow vulnerability in the FreeBSD vt(4) virtual terminal driver. The CONS_HISTORY ioctl handler fails to validate the requested history size before computing a buffer allocation. A large user-supplied value triggers an integer overflow in the size calculation, producing an undersized heap allocation. Subsequent initialization then writes beyond the end of the buffer, corrupting adjacent kernel heap memory.

An unprivileged local user with access to a vt(4) device can trigger this out-of-bounds write, potentially escalating privileges to root. The issue is tracked under [CWE-190: Integer Overflow or Wraparound].

Critical Impact

Local privilege escalation to kernel context on FreeBSD 14.3, 14.4, and 15.0 systems through an unprivileged ioctl call.

Affected Products

  • FreeBSD 14.3 (base release through patch level p14)
  • FreeBSD 14.4 (base release through patch level p5)
  • FreeBSD 15.0 (base release through patch level p9)

Discovery Timeline

  • 2026-06-27 - CVE-2026-49416 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-49416

Vulnerability Analysis

The vt(4) driver implements FreeBSD's newcons virtual terminal subsystem and exposes the CONS_HISTORY ioctl to userland processes with access to a console device node. The handler accepts a caller-supplied history size and uses it to compute the byte size for a scrollback buffer allocation. Because this multiplication is performed without upper-bound validation, a sufficiently large history value wraps the arithmetic result to a small integer.

The kernel allocator then returns a heap block much smaller than the driver expects. The driver's buffer initialization loop uses the original (unwrapped) length as its termination bound, writing kernel data structures past the end of the undersized allocation. This linear heap overflow corrupts neighboring allocator metadata or adjacent kernel objects.

Root Cause

The root cause is missing bounds enforcement on the history_size parameter prior to the size arithmetic in the CONS_HISTORY ioctl handler. The driver trusts a value that crosses the userland-kernel trust boundary and performs size * element_width without checking for arithmetic overflow. FreeBSD provides helpers such as those in <sys/overflow.h> for exactly this case, but they are not applied here.

Attack Vector

Exploitation requires local access and permission to open a vt(4) device node such as /dev/ttyv*. An attacker calls ioctl() with the CONS_HISTORY command and a crafted size argument chosen to overflow the internal size calculation. By shaping the kernel heap in advance to place a controllable victim object adjacent to the undersized allocation, the attacker converts the linear overwrite into control of a kernel pointer, credential structure, or function pointer. The result is arbitrary kernel write and privilege escalation to UID 0.

No public proof-of-concept exploit is currently listed, and the vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. See the FreeBSD Security Advisory SA-26:34 for vendor-published technical details.

Detection Methods for CVE-2026-49416

Indicators of Compromise

  • Unexpected kernel panics or page fault traps originating in vt(4) or malloc/free paths in /var/log/messages or dmesg output.
  • Local user processes issuing ioctl() calls with the CONS_HISTORY command against /dev/ttyv* device nodes.
  • New root-owned processes spawned from previously unprivileged UIDs shortly after console device access.

Detection Strategies

  • Audit FreeBSD hosts with freebsd-version -uk and compare against fixed patch levels identified in SA-26:34.
  • Enable and monitor audit(4) with the io class to capture ioctl activity against terminal devices by non-console users.
  • Correlate console device opens by non-interactive users with subsequent privilege changes using host telemetry.

Monitoring Recommendations

  • Forward auditd and syslog records to a central analytics platform and alert on vt-related kernel faults.
  • Track UID transitions to 0 that are not preceded by an authenticated su, sudo, or login event.
  • Baseline which users legitimately access /dev/ttyv* on each host and alert on deviations.

How to Mitigate CVE-2026-49416

Immediate Actions Required

  • Apply the FreeBSD Project's security update from SA-26:34 to all affected 14.3, 14.4, and 15.0 systems.
  • Restrict interactive shell access on multi-user systems to reduce the local attacker population.
  • Review permissions on /dev/ttyv* device nodes and confirm they are not world-accessible on servers that do not require console multiplexing.

Patch Information

The FreeBSD Project has released a corrected vt(4) driver as part of the base system update described in the FreeBSD Security Advisory SA-26:34. Administrators should update to the latest patch level for their supported branch using freebsd-update fetch install and reboot to load the corrected kernel. Custom kernels must be rebuilt from patched sources.

Workarounds

  • Where patching is delayed, remove or restrict access to vt(4) device nodes for untrusted users by adjusting devfs.rules(5).
  • Disable interactive login for service accounts that do not require it, reducing exposure to local ioctl attacks.
  • On systems that do not use the newcons virtual terminal, consider disabling vt(4) in the kernel configuration and switching to syscons or a serial console.
bash
# Configuration example: apply the kernel patch and verify version
freebsd-update fetch
freebsd-update install
shutdown -r now

# After reboot, confirm the running kernel patch level
freebsd-version -uk

# Restrict access to vt(4) device nodes via devfs.rules(5)
cat >> /etc/devfs.rules <<'EOF'
[localrules=10]
add path 'ttyv*' mode 0600 group wheel
EOF
sysrc devfs_system_ruleset="localrules"
service devfs restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.