Description
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.

An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Published: 2026-06-26
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The KTLS receive path in FreeBSD decrypts data in place under the assumption that the mbuf buffers are anonymous and safe to modify. However, mbufs created by sendfile(2) can contain file‑backed memory. When a local attacker sends such data across a loopback connection with KTLS receive enabled, the decryption occurs directly on the file‑backed buffer, overwriting the original file's page cache. This allows a user who can read a file to overwrite that file with chosen content, bypassing protection flags and causing data corruption. By overwriting a setuid binary or another privileged file, the attacker can gain root or higher privileges.

Affected Systems

This vulnerability is present in the FreeBSD operating system. No specific version range is listed, so all releases that include the vulnerable KTLS code and have not been patched should be considered at risk. The issue arises when KTLS receive is enabled on the loopback interface in an environment where a local user can read target files.

Risk and Exploitability

The CVSS score is 7.8, and EPSS score data is unavailable. The vulnerability can be exploited locally by any unprivileged user who can read a file and access the loopback interface; it does not require network or prior credential compromise. Because it enables privilege escalation through overwriting of trusted binaries, the potential impact is high, but the lack of remote attack vector and absence of EPSS data make the overall exploitation likelihood uncertain. The vulnerability is not currently listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 26, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security update that contains the KTLS bug fix.
  • Disable KTLS receive on the loopback interface to stop the vulnerable decryption path from being used.
  • Restrict read access to critical files (e.g., setuid binaries) so that unprivileged local users cannot read them.

Generated by OpenCVE AI on June 26, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Title Arbitrary file overwrite via the KTLS receive path
Weaknesses CWE-123
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-26T15:26:41.506Z

Reserved: 2026-05-11T16:27:44.891Z

Link: CVE-2026-45257

cve-icon Vulnrichment

Updated: 2026-06-26T14:57:59.851Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:00:04Z

Weaknesses
  • CWE-123

    Write-what-where Condition