The vulnerability resides in the implementation of the sigqueue(2) system call within the FreeBSD kernel. Though sigqueue(2) was granted permission in capability mode during the 2011 addition of Capsicum, the kern_sigqueue function was not updated to enforce capability mode restrictions. A sandboxed process with capability mode privileges can therefore use sigqueue(2) to send signals to any other process it is authorized to signal by standard Unix permissions. An attacker compromising a sandboxed process can send SIGKILL, SIGSTOP or other signals to interfere with or terminate processes belonging to the same user or, in the case of a superuser sandboxed process, to any process on the host system. This bypasses Capsicum’s intended sandbox protection and effectively escalates privileges.

The flaw affects all affected FreeBSD releases that have not applied the fix referenced in the FreeBSD security advisory FreeBSD-SA-28.capsicum. Specific version information is not provided, so all unpatched installations are considered vulnerable. The vulnerability impacts the kernel and any user processes that could employ sigqueue(2) under Capsicum restrictions.

Because the vulnerability allows a sandboxed process to target arbitrary processes, it has the potential for local privilege escalation and denial of service. No CVSS score is listed, but the inability to enforce capability mode restrictions is a severe issue. No EPSS score is available, and the flaw is not yet present in CISA KEV, but the ease of exploitation and the critical nature of signal handling recommend prompt remediation.