CVE-2026-5398
Use-After-Free in FreeBSD TIOCNOTTY Allows Privilege Escalation
Publication date: 2026-04-22
Last updated on: 2026-05-01
Assigner: FreeBSD
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-5398 is a kernel use-after-free vulnerability in the FreeBSD operating system's TIOCNOTTY ioctl handler within the tty subsystem.
The vulnerability occurs because the implementation of TIOCNOTTY fails to clear a back-pointer from the terminal structure to the calling process's session when the process detaches from its controlling terminal.
If the invoking process then exits, the terminal structure ends up containing a dangling pointer referencing freed memory.
A malicious process can exploit this dangling pointer to escalate its privileges and gain root access.
How can this vulnerability impact me? :
This vulnerability can allow a malicious process to escalate its privileges to root level on affected FreeBSD systems.
With root privileges, an attacker can gain full control over the system, potentially leading to unauthorized access, data theft, system manipulation, or disruption of services.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a kernel use-after-free issue in the TIOCNOTTY ioctl handler within the FreeBSD tty subsystem. Detection involves verifying whether the system is running a vulnerable version of FreeBSD or if the patch has been applied.
You can inspect the system's patch status by checking the Git commit hashes associated with the fix on your FreeBSD branch. The advisory provides commands to inspect these commits and verify patch application.
Specific commands suggested include:
- Using Git to check for the presence of the fix commit in the kernel source tree.
- For binary distributions, using `freebsd-update` commands to check for available updates.
- For package-based systems, using `pkg upgrade -r FreeBSD-base` to ensure the base system is up to date.
No direct runtime detection commands or network-based detection methods are provided in the advisory.
What immediate steps should I take to mitigate this vulnerability?
There is no workaround available for this vulnerability. The immediate mitigation step is to upgrade your FreeBSD system to a patched version released on or after April 21, 2026.
Upgrade methods include:
- For systems installed from base system packages (e.g., FreeBSD 15.0 on amd64 or arm64), run: `pkg upgrade -r FreeBSD-base`.
- For systems installed from binary distribution sets, run: `freebsd-update fetch` followed by `freebsd-update install`.
- Alternatively, apply the source code patch manually by fetching the appropriate patch for your FreeBSD branch, verifying its PGP signature, applying it to the source tree, recompiling the kernel, and rebooting.
After applying the update or patch, reboot the system to ensure the fix is active.