CVE-2026-6386 - Vulnerability Details

- Missing large page handling in pmap_pkru_update_range()

Description

In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.

The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.

Published: 2026-04-22

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The pmap_pkru_update_range() routine, which applies protection keys to address ranges, fails to handle 1 GB largepage mappings created via shm_create_largepage(3). This oversight causes the routine to treat regular user‑space memory as a page table, allowing an attacker to overwrite arbitrary memory that should otherwise be protected. This is a privilege escalation flaw identified as CWE‑269 (Improper Authorization) and CWE‑732 (Incorrect Access Control). The vulnerability permits an unprivileged local user to manipulate data in a way that can compromise process integrity or trigger arbitrary code execution.

Affected Systems

The affected product is FreeBSD. No specific version range is listed, suggesting that any FreeBSD kernel containing the unpatched pmap_pkru_update_range() routine is vulnerable. Until the fix noted in the FreeBSD-SA-26:11 advisory is applied, all FreeBSD installations that allow large pages and PKRU usage remain at risk.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, so known exploitation activity is unclear. However, the flaw is exploitable by an unprivileged local user who can request large page creation. The attack requires only local access and the ability to invoke shm_create_largepage(3), a common interface. Given the lack of a public exploit yet, the risk is moderate to high, especially for systems that run untrusted code with large page support enabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FreeBSD

unknown

Version	Status	Constraints
`15.0-RELEASE`	affected	< p6
`14.4-RELEASE`	affected	< p2
`14.3-RELEASE`	affected	< p11
`13.5-RELEASE`	affected	< p12

No data.

Vendor Product Confidence Versions

Freebsd

100%

Version	Status	Scheme	Platform
`[15.0-RELEASE, p6)`	affected	generic	—
`[14.4-RELEASE, p2)`	affected	generic	—
`[14.3-RELEASE, p11)`	affected	generic	—
`[13.5-RELEASE, p12)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a FreeBSD release that includes the pmap_pkru_update_range() patch referenced in the FreeBSD-SA-26:11 advisory
If an upgrade is not immediately possible, avoid using shm_create_largepage() in applications with untrusted users, or disable large page allocation for those users
As a temporary measure, disable or restrict the use of PKRU for lower‑privileged processes until the kernel fix is applied

Generated by OpenCVE AI on April 22, 2026 at 06:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc

History

Wed, 22 Apr 2026 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Freebsd Freebsd freebsd
Vendors & Products		Freebsd Freebsd freebsd

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Description		In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page. The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
Title		Missing large page handling in pmap_pkru_update_range()
Weaknesses		CWE-269 CWE-732
References		https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc

Subscriptions

Freebsd Freebsd

MITRE

Status: PUBLISHED

Assigner: freebsd

Published: 2026-04-22T02:33:24.846Z

Updated: 2026-04-22T02:33:24.846Z

Reserved: 2026-04-15T19:18:20.083Z

Link: CVE-2026-6386

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-22T03:16:01.313

Modified: 2026-04-22T03:16:01.313

Link: CVE-2026-6386

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object