Stack buffer overflow via setcred(2)_CVE-2026-45250

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.

Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

Basic Information

ID CVE-2026-45250

Source freebsd

Published May 21, 2026 at 08:37

Modified May 21, 2026 at 13:13

Affected Product

Vendor FreeBSD

Product FreeBSD

Version 15.0-RELEASE

Affected Versions FreeBSD FreeBSD 15.0-RELEASE
FreeBSD FreeBSD 14.4-RELEASE
FreeBSD FreeBSD 14.3-RELEASE

CWE Classification

CWE-121

References

security.freebsd.org /advisories/FreeBSD-SA-26:18.setcred.asc

{
    "lastseen": "",
    "description": "The setcred(2) system call is only available to privileged users.  However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length.  If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.\n\nBecause the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege.  Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.",
    "published": "2026-05-21T08:37:17.553Z",
    "modified": "2026-05-21T13:13:23.520Z",
    "type": "cve",
    "title": "Stack buffer overflow via setcred(2)",
    "source": "freebsd",
    "references": "https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc",
    "id": "CVE-2026-45250",
    "bulletinFamily": "",
    "cwe": [
        "CWE-121"
    ],
    "cvelist": null,
    "sourceData": "FreeBSD FreeBSD 15.0-RELEASE\nFreeBSD FreeBSD 14.4-RELEASE\nFreeBSD FreeBSD 14.3-RELEASE",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "FreeBSD",
    "version": "15.0-RELEASE",
    "vendor": "FreeBSD",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}