Home

Description

The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier.

PUBLISHED Reserved 2026-05-29 | Published 2026-06-27 | Updated 2026-06-27 | Assigner freebsd

Problem types

CWE-179: Incorrect Behavior Order: Early Validation

Product status

Default status
unknown

15.0-RELEASE (release) before p10
affected

14.4-RELEASE (release) before p6
affected

14.3-RELEASE (release) before p15
affected

Credits

Synacktiv finder

References

security.freebsd.org/advisories/FreeBSD-SA-26:32.elf.asc vendor-advisory

cve.org (CVE-2026-49414)

nvd.nist.gov (CVE-2026-49414)

Download JSON