The pmap_pkru_update_range() routine, which applies protection keys to address ranges, fails to handle 1 GB largepage mappings created via shm_create_largepage(3). This oversight causes the routine to treat regular user‑space memory as a page table, allowing an attacker to overwrite arbitrary memory that should otherwise be protected. This is a privilege escalation flaw identified as CWE‑269 (Improper Authorization) and CWE‑732 (Incorrect Access Control). The vulnerability permits an unprivileged local user to manipulate data in a way that can compromise process integrity or trigger arbitrary code execution.

The affected product is FreeBSD. No specific version range is listed, suggesting that any FreeBSD kernel containing the unpatched pmap_pkru_update_range() routine is vulnerable. Until the fix noted in the FreeBSD-SA-26:11 advisory is applied, all FreeBSD installations that allow large pages and PKRU usage remain at risk.

The EPSS score is < 1%, indicating a very low but nonzero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. This flaw is exploitable by an unprivileged local user who can request large page creation. The attack requires only local access and the ability to invoke shm_create_largepage(3). The CVSS score of 6.2 denotes moderate severity, and given the lack of a public exploit yet, the risk remains moderate to high for systems that run untrusted code with large page support enabled.