Description
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.

An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Published: 2026-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in the way the Linuxulator component determines whether a binary is set-user-ID or set-group-ID. It relies on the P_SUGID process flag, which is not yet set when execve(2) builds the auxiliary vector, causing AT_SECURE to be incorrectly set to zero for set-user-ID or set-group-ID executables. This error allows an unprivileged local user to inject a shared library via LD_PRELOAD into such binaries and run code with the target binary’s privileges. The result is local privilege escalation, as the attacker gains the effective UID or GID of the set-user-ID or set-group-ID binary.

Affected Systems

The issue affects FreeBSD systems that run the Linuxulator feature. No specific version numbers were supplied in the advisory, so administrators should review the FreeBSD security announcement and ensure that any installations of FreeBSD with Linuxulator enabled are patched. If version information is missing, it is advisable to check with vendor documentation or updates for the relevant fixes.

Risk and Exploitability

Because the vulnerability only requires local access to manipulate environment variables, the attack vector is local. The CVSS score is 7.1 and the EPSS score is <1%, indicating a high severity but low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential to execute code with elevated privileges makes it a high‑risk issue once the environment variable can be controlled. Successful exploitation would give the attacker root or other privileged access, undermining system integrity.

Generated by OpenCVE AI on June 29, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the FreeBSD release that incorporates the Linuxulator fix as described in the official security advisory
  • As a temporary workaround, clear the LD_PRELOAD environment variable before launching any set-user-ID or set-group-ID binaries
  • Restrict write permissions on shared library directories and enforce strict controls over environment variable usage for privileged executables

Generated by OpenCVE AI on June 29, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Title Flaw in Linuxulator execution of setugid binaries
Weaknesses CWE-266
References

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-29T13:05:38.668Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49413

cve-icon Vulnrichment

Updated: 2026-06-29T13:05:27.585Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:45:04Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment