Home

Description

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-22 | Updated 2026-04-22 | Assigner freebsd

Problem types

CWE-416: Use After Free

Product status

Default status
unknown

15.0-RELEASE (release) before p6
affected

14.4-RELEASE (release) before p2
affected

14.3-RELEASE (release) before p11
affected

13.5-RELEASE (release) before p12
affected

Credits

Nicholas Carlini using Claude, Anthropic finder

References

security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc vendor-advisory

cve.org (CVE-2026-5398)

nvd.nist.gov (CVE-2026-5398)

Download JSON