ASLR bypass for setuid executables via procctl(2)
Summary
| CVE | CVE-2026-49414 |
|---|---|
| State | PUBLISHED |
| Assigner | freebsd |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-27 10:16:37 UTC |
| Updated | 2026-06-27 10:16:37 UTC |
| Description | The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier. |
Risk And Classification
Problem Types: CWE-179 | CWE-179 CWE-179: Incorrect Behavior Order: Early Validation
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc | [email protected] | security.freebsd.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Synacktiv (en)
There are currently no legacy QID mappings associated with this CVE.