The flaw lies in the way the Linuxulator component determines whether a binary is set‑user‑ID or set‑group‑ID. It relies on the P_SUGID process flag, which is not yet set when execve(2) builds the auxiliary vector, causing AT_SECURE to be incorrectly set to zero for set‑user‑ID or set‑group‑ID executables. This error allows an unprivileged local user to inject a shared library via LD_PRELOAD into such binaries and run code with the target binary’s privileges. The result is local privilege escalation, as the attacker gains the effective UID or GID of the set‑user‑ID or set‑group‑ID binary.

The issue affects FreeBSD systems that run the Linuxulator feature. No specific version numbers were supplied in the advisory, so administrators should review the FreeBSD security announcement and ensure that any installations of FreeBSD with Linuxulator enabled are patched. If version information is missing, it is advisable to check with vendor documentation or updates for the relevant fixes.

Because the vulnerability only requires local access to manipulate environment variables, the attack vector is local. There is no publicly disclosed CVSS score or EPSS probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential to execute code with elevated privileges makes it a high‑risk issue once the environment variable can be controlled. Successful exploitation would give the attacker root or other privileged access, undermining system integrity.