Description
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered.

The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target.

An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
Published: 2026-06-26
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw emerges when the thr_kill2(2) system call fails to honor the result of a permission check performed by p_cansignal(). As a consequence, signals are delivered even when the calling process lacks the necessary rights. This oversight permits an unprivileged local user to send arbitrary signals to any thread specified by its globally unique identifier, regardless of owner or jail boundaries. The impact is the ability to stop or terminate arbitrary processes, which can include critical system daemons, thereby causing a denial of service or enabling further escalation depending on the target process. Based on the description, it is inferred that the missing check directly causes undesired signal delivery.

Affected Systems

The vulnerability applies to the FreeBSD operating system. All releases before the patch that fixed the missing check in thr_kill2(. The exact affected versions are not enumerated in the advisory, but any installation of not applied the advertised fix is at risk.

Risk and Exploitability

The likely attack vector is local exploitation on the same host by an unprivileged user who knows or can guess the target's process and thread IDs. By brute‑forcing sequentially allocated thread IDs, an attacker can discover the necessary identifiers with no visibility into the target. Once the IDs are known, the exploit is trivial: craft a thr_kill2(2) call to any desired signal. The exploit probability is high in environments where local users have shell access and the system lacks restrictive controls on signal handling. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting it was not yet widely exploited. However, the simplicity of the attack vector and the potential for DoS justify urgent remediation.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FreeBSD release that contains the patched thr_kill2(2) implementation.
  • Reduce local user privileges to limit their ability to guess or enumerate thread identifiers, for example by enforcing the least privilege principle or using user namespaces.
  • Implement tighter jail or container boundaries to restrict signal delivery across process boundaries and monitor for anomalous signal usage.

Generated by OpenCVE AI on June 26, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
Title Missing permission check in thr_kill2(2)
Weaknesses CWE-269
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-26T15:30:02.071Z

Reserved: 2026-05-11T16:27:44.891Z

Link: CVE-2026-45256

cve-icon Vulnrichment

Updated: 2026-06-26T15:29:56.651Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T20:00:05Z

Weaknesses
  • CWE-269

    Improper Privilege Management