Description
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.

Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Published: 2026-05-21
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The setcred(2) system call is vulnerable because a supplied list of supplementary groups is copied into a fixed-size kernel stack buffer before the caller’s privilege level is verified. If the list exceeds the buffer limit, this causes a stack buffer overflow that allows an unprivileged local user to execute arbitrary code in kernel context, resulting in elevation of privileges.

Affected Systems

The vulnerability affects FreeBSD systems that include the unpatched implementation of setcred(2); specific affected release numbers are not enumerated in the advisory, but any FreeBSD build prior to the update cited in the FreeBSD SA-26:18 announcement is potentially vulnerable. Administrators should consult the advisory for the exact patch level and ensure their deployments are updated accordingly.

Risk and Exploitability

Because the overflow occurs before privilege validation, the attacker only needs local access; no network or elevated privilege is required. The CVSS score is 7.8 and the EPSS score is < 1%, indicating a low but non-zero probability of exploitation. The nature of the vulnerability (kernel code execution) and absence of a KEV listing imply a high intrinsic risk. The attack vector is local and would succeed if an attacker can run a local program that supplies a too‑large supplementary group list to setcred(2).

Generated by OpenCVE AI on May 21, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch and kernel update detailed in the FreeBSD SA-26:18 setcred advisory
  • Reboot the system after the kernel update so the new code is loaded
  • Restrict non‑privileged users from calling setcred(2) (e.g., via system configuration changes) until the patch is applied

Generated by OpenCVE AI on May 21, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p8:*:*:*:*:*:*

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Title Stack buffer overflow via setcred(2)
Weaknesses CWE-121
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-05-21T17:41:29.848Z

Reserved: 2026-05-11T16:27:44.891Z

Link: CVE-2026-45250

cve-icon Vulnrichment

Updated: 2026-05-21T17:41:29.848Z

cve-icon NVD

Status : Modified

Published: 2026-05-21T09:16:30.010

Modified: 2026-05-21T19:16:53.243

Link: CVE-2026-45250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:30:13Z

Weaknesses