Description
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

A malicious process can abuse the dangling pointer to grant itself root privileges.
Published: 2026-04-22
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Root privilege escalation
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free condition in the FreeBSD TIOCNOTTY handler allows a process that has cleared its controlling terminal to later access a dangling pointer in the terminal structure after the process exits. An attacker can use the freed reference to elevate privileges and gain root access.

Affected Systems

FreeBSD is the affected vendor. No specific product release or version information is listed in the advisory; the vulnerability applies to all affected FreeBSD releases for which the TIOCNOTTY handler implementation is unpatched.

Risk and Exploitability

The CVSS score is 8.4, and the EPSS score is below 1%, indicating a low probability of exploitation, but the vulnerability is known to allow local processes to gain root credentials. Since the attack requires the attacker to invoke the TIOCNOTTY ioctl on a controlling terminal, the likely vector is local access. The CVE is not listed in the CISA KEV catalog, yet it remains a critical privilege‑escalation flaw.

Generated by OpenCVE AI on April 22, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FreeBSD security updates that contain the TIOCNOTTY patch.
  • Restrict use of the TIOCNOTTY ioctl to privileged users only and disable it for untrusted processes.
  • Monitor for abnormal privilege‑escalation attempts and audit system processes that gain root privileges.

Generated by OpenCVE AI on April 22, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:beta3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:13.5:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges.
Title Kernel use-after-free bug in the TIOCNOTTY handler
Weaknesses CWE-416
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-23T03:56:10.203Z

Reserved: 2026-04-02T01:48:17.131Z

Link: CVE-2026-5398

cve-icon Vulnrichment

Updated: 2026-04-22T14:24:12.587Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T03:16:01.213

Modified: 2026-05-01T12:49:44.270

Link: CVE-2026-5398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses