Filtered by vendor Freebsd
Subscriptions
Total
543 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-8178 | 1 Freebsd | 1 Freebsd | 2024-09-06 | 9.3 Critical |
The ctl_write_buffer and ctl_read_buffer functions allocated memory to be returned to userspace, without initializing it. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | ||||
CVE-2024-45063 | 1 Freebsd | 1 Freebsd | 2024-09-06 | 9.8 Critical |
The function ctl_write_buffer incorrectly set a flag which resulted in a kernel Use-After-Free when a command finished processing. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | ||||
CVE-2024-41928 | 1 Freebsd | 1 Freebsd | 2024-09-06 | 8.4 High |
Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. | ||||
CVE-2024-45287 | 1 Freebsd | 1 Freebsd | 2024-09-06 | 9.1 Critical |
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data. | ||||
CVE-2024-32668 | 1 Freebsd | 1 Freebsd | 2024-09-05 | 8.2 High |
An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller. A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. | ||||
CVE-2024-42416 | 1 Freebsd | 1 Freebsd | 2024-09-05 | 8.4 High |
The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | ||||
CVE-2024-43102 | 1 Freebsd | 1 Freebsd | 2024-09-05 | 9.8 Critical |
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape. | ||||
CVE-2024-43110 | 1 Freebsd | 1 Freebsd | 2024-09-05 | 8.4 High |
The ctl_request_sense function could expose up to three bytes of the kernel heap to userspace. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host. | ||||
CVE-2024-45288 | 1 Freebsd | 1 Freebsd | 2024-09-05 | 8.4 High |
A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer. | ||||
CVE-2024-6387 | 9 Amazon, Canonical, Debian and 6 more | 24 Linux 2023, Ubuntu Linux, Debian Linux and 21 more | 2024-08-20 | 8.1 High |
A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | ||||
CVE-2024-7589 | 1 Freebsd | 1 Freebsd | 2024-08-16 | 8.1 High |
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root. | ||||
CVE-2024-6760 | 1 Freebsd | 1 Freebsd | 2024-08-16 | 7.5 High |
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. | ||||
CVE-2024-6759 | 1 Freebsd | 1 Freebsd | 2024-08-16 | 5.3 Medium |
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory. | ||||
CVE-2000-1167 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
ppp utility in FreeBSD 4.1.1 and earlier does not properly restrict access as specified by the "nat deny_incoming" command, which allows remote attackers to connect to the target system. | ||||
CVE-2000-1184 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
telnetd in FreeBSD 4.2 and earlier, and possibly other operating systems, allows remote attackers to cause a denial of service by specifying an arbitrary large file in the TERMCAP environmental variable, which consumes resources as the server processes the file. | ||||
CVE-2000-1066 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
The getnameinfo function in FreeBSD 4.1.1 and earlier, and possibly other operating systems, allows a remote attacker to cause a denial of service via a long DNS hostname. | ||||
CVE-2000-0993 | 3 Freebsd, Netbsd, Openbsd | 3 Freebsd, Netbsd, Openbsd | 2024-08-08 | N/A |
Format string vulnerability in pw_error function in BSD libutil library allows local users to gain root privileges via a malformed password in commands such as chpass or passwd. | ||||
CVE-2000-1012 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
The catopen function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to read arbitrary files via the LANG environmental variable. | ||||
CVE-2000-1011 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
Buffer overflow in catopen() function in FreeBSD 5.0 and earlier, and possibly other OSes, allows local users to gain root privileges via a long environmental variable. | ||||
CVE-2000-0998 | 1 Freebsd | 1 Freebsd | 2024-08-08 | N/A |
Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function. |