CVE-2026-45256
Awaiting Analysis Awaiting Analysis - Queue
Signal Permission Bypass in FreeBSD Kernel

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: FreeBSD

Description
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-45256
EUVD
EUVD-2026-39776
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freebsd freebsd From 2026-06-09 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in the FreeBSD system call thr_kill2(2), which is used to deliver signals to specific threads within a process. The problem is that the system call calls a permission check function (p_cansignal()) to verify if the signal delivery is allowed, but it does not check the result of this permission verification before sending the signal. Consequently, the signal is delivered even if the permission check fails.

An unprivileged local user who knows or can guess the target process and thread IDs can exploit this flaw to send signals to processes they normally would not have permission to signal, including those owned by other users or root, and processes in different jails. Thread IDs are globally and sequentially allocated, making them discoverable by brute force without needing visibility into the target.

This can allow an attacker to stop or terminate arbitrary processes, including critical system daemons, potentially causing a Denial of Service (DoS).

Impact Analysis

This vulnerability can allow an unprivileged local attacker to send signals to and potentially stop or terminate arbitrary processes on the system, including critical system daemons.

The impact includes the possibility of causing a Denial of Service (DoS) by disrupting essential services or processes that are normally protected from such interference.

Additionally, because the vulnerability bypasses jail boundaries, an attacker in a jailed environment could affect processes on the host or in other jails, increasing the scope of potential damage.

Detection Guidance

This vulnerability involves the thr_kill2(2) system call improperly delivering signals to threads without proper permission checks. Detection involves identifying if unprivileged users are able to send signals to processes they normally cannot signal.

Since the vulnerability requires knowledge or guessing of process and thread IDs, and thread IDs are allocated globally and sequentially, detection could involve monitoring unusual signal delivery patterns or unexpected process terminations.

However, the advisory does not provide specific detection commands or tools.

Mitigation Strategies

The FreeBSD Project has released patches that fix this vulnerability by correcting the permission check in the thr_kill2(2) system call.

Immediate mitigation steps include upgrading your FreeBSD system to a supported stable or release/security branch dated after June 9, 2026.

After applying the update, reboot the system to ensure the patch is active.

Workarounds are not available, so applying the official patches is the only effective mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45256. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart