Filtered by vendor Freebsd Subscriptions
Total 543 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-8178 1 Freebsd 1 Freebsd 2024-09-06 9.3 Critical
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
CVE-2024-45063 1 Freebsd 1 Freebsd 2024-09-06 9.8 Critical
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
CVE-2024-41928 1 Freebsd 1 Freebsd 2024-09-06 8.4 High
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
CVE-2024-45287 1 Freebsd 1 Freebsd 2024-09-06 9.1 Critical
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.
CVE-2024-32668 1 Freebsd 1 Freebsd 2024-09-05 8.2 High
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
CVE-2024-42416 1 Freebsd 1 Freebsd 2024-09-05 8.4 High
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
CVE-2024-43102 1 Freebsd 1 Freebsd 2024-09-05 9.8 Critical
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
CVE-2024-43110 1 Freebsd 1 Freebsd 2024-09-05 8.4 High
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.
CVE-2024-45288 1 Freebsd 1 Freebsd 2024-09-05 8.4 High
A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer.
CVE-2024-6387 9 Amazon, Canonical, Debian and 6 more 24 Linux 2023, Ubuntu Linux, Debian Linux and 21 more 2024-08-20 8.1 High
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
CVE-2024-7589 1 Freebsd 1 Freebsd 2024-08-16 8.1 High
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.
CVE-2024-6760 1 Freebsd 1 Freebsd 2024-08-16 7.5 High
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database.
CVE-2024-6759 1 Freebsd 1 Freebsd 2024-08-16 5.3 Medium
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory.
CVE-2000-1167 1 Freebsd 1 Freebsd 2024-08-08 N/A
ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system.
CVE-2000-1184 1 Freebsd 1 Freebsd 2024-08-08 N/A
telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file.
CVE-2000-1066 1 Freebsd 1 Freebsd 2024-08-08 N/A
The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname.
CVE-2000-0993 3 Freebsd, Netbsd, Openbsd 3 Freebsd, Netbsd, Openbsd 2024-08-08 N/A
Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd.
CVE-2000-1012 1 Freebsd 1 Freebsd 2024-08-08 N/A
The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable.
CVE-2000-1011 1 Freebsd 1 Freebsd 2024-08-08 N/A
Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable.
CVE-2000-0998 1 Freebsd 1 Freebsd 2024-08-08 N/A
Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.