CVE-2026-5398
Received Received - Intake
Use-After-Free in FreeBSD TIOCNOTTY Allows Privilege Escalation

Publication date: 2026-04-22

Last updated on: 2026-05-01

Assigner: FreeBSD

Description
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-05-01
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5398
EUVD
EUVD-2026-24589
Affected Vendors & Products
Showing 33 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-5398 is a kernel use-after-free vulnerability in the FreeBSD operating system's TIOCNOTTY ioctl handler within the tty subsystem.

The vulnerability occurs because the implementation of TIOCNOTTY fails to clear a back-pointer from the terminal structure to the calling process's session when the process detaches from its controlling terminal.

If the invoking process then exits, the terminal structure ends up containing a dangling pointer referencing freed memory.

A malicious process can exploit this dangling pointer to escalate its privileges and gain root access.

Impact Analysis

This vulnerability can allow a malicious process to escalate its privileges to root level on affected FreeBSD systems.

With root privileges, an attacker can gain full control over the system, potentially leading to unauthorized access, data theft, system manipulation, or disruption of services.

Detection Guidance

This vulnerability is a kernel use-after-free issue in the TIOCNOTTY ioctl handler within the FreeBSD tty subsystem. Detection involves verifying whether the system is running a vulnerable version of FreeBSD or if the patch has been applied.

You can inspect the system's patch status by checking the Git commit hashes associated with the fix on your FreeBSD branch. The advisory provides commands to inspect these commits and verify patch application.

Specific commands suggested include:

  • Using Git to check for the presence of the fix commit in the kernel source tree.
  • For binary distributions, using `freebsd-update` commands to check for available updates.
  • For package-based systems, using `pkg upgrade -r FreeBSD-base` to ensure the base system is up to date.

No direct runtime detection commands or network-based detection methods are provided in the advisory.

Mitigation Strategies

There is no workaround available for this vulnerability. The immediate mitigation step is to upgrade your FreeBSD system to a patched version released on or after April 21, 2026.

Upgrade methods include:

  • For systems installed from base system packages (e.g., FreeBSD 15.0 on amd64 or arm64), run: `pkg upgrade -r FreeBSD-base`.
  • For systems installed from binary distribution sets, run: `freebsd-update fetch` followed by `freebsd-update install`.
  • Alternatively, apply the source code patch manually by fetching the appropriate patch for your FreeBSD branch, verifying its PGP signature, applying it to the source tree, recompiling the kernel, and rebooting.

After applying the update or patch, reboot the system to ensure the fix is active.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart