Description
The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen.

An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
Published: 2026-06-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrect ordering of ASLR preference flag clearing in the ELF image activator for setuid PIE binaries. The code clears the per‑process ASLR flags after the PIE base address is computed instead of before. Consequently, a user‑requested ASLR disable remains active when the base address is chosen, allowing an unprivileged local user to invoke procctl(2) to turn off ASLR on a setuid binary before it executes.

Affected Systems

Affected systems are FreeBSD installations that include setuid PIE executables. The advisory does not list specific release numbers, so any FreeBSD version that still contains the unpatched code is vulnerable. Administrators should review the advisory and test the patch on their current releases.

Risk and Exploitability

The risk is high even though the EPSS score is unavailable; the local user can disable ASLR and thereby reduce the difficulty of any subsequent memory‑corruption attack in the same binary. The vulnerability is classified CWE‑179 and is not currently listed in the CISA KEV catalog. The attack vector is local and requires no special privileges beyond the ability to use the procctl system call.

Generated by OpenCVE AI on June 27, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the FreeBSD patch from the official advisory to correct the ASLR flag ordering.
  • Upgrade that includes the fix if the current version cannot be patched directly.
  • Reduce the attack surface by removing unnecessary setuid PIE binaries or replacing them with non‑PIE alternatives, and restrict procctl usage through local security policy if possible.

Generated by OpenCVE AI on June 27, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
Description The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.
Title ASLR bypass for setuid executables via procctl(2)
Weaknesses CWE-179
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-27T09:22:23.307Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49414

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T11:30:15Z

Weaknesses
  • CWE-179

    Incorrect Behavior Order: Early Validation