Description
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

A malicious process can abuse the dangling pointer to grant itself root privileges.
Published: 2026-04-22
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Root privilege escalation
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free condition in the FreeBSD TIOCNOTTY handler allows a process that has cleared its controlling terminal to later access a dangling pointer in the terminal structure after the process exits. An attacker can use the freed reference to elevate privileges and gain root access.

Affected Systems

FreeBSD is the affected vendor. No specific product release or version information is listed in the advisory; the vulnerability applies to all affected FreeBSD releases for which the TIOCNOTTY handler implementation is unpatched.

Risk and Exploitability

The CVSS score is not provided, and EPSS is unavailable, but the vulnerability is known to allow local processes to gain root credentials. Since the attack requires the attacker to invoke the TIOCNOTTY ioctl on a controlling terminal, the likely vector is local access. The CVE is not listed in the CISA KEV catalog, yet it remains a critical privilege‑escalation flaw.

Generated by OpenCVE AI on April 22, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security updates that contain the TIOCNOTTY patch.
  • Restrict use of the TIOCNOTTY ioctl to privileged users only and disable it for untrusted processes.
  • Monitor for abnormal privilege‑escalation attempts and audit system processes that gain root privileges.

Generated by OpenCVE AI on April 22, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges.
Title Kernel use-after-free bug in the TIOCNOTTY handler
Weaknesses CWE-416
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-22T14:24:21.661Z

Reserved: 2026-04-02T01:48:17.131Z

Link: CVE-2026-5398

cve-icon Vulnrichment

Updated: 2026-04-22T14:24:12.587Z

cve-icon NVD

Status : Received

Published: 2026-04-22T03:16:01.213

Modified: 2026-04-22T15:16:17.050

Link: CVE-2026-5398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:30:05Z

Weaknesses